14 matches found
CVE-2024-52008
Fides (open-source privacy engineering platform) has a password policy bypass in its invite flow. The /api/v1/user/accept-invite endpoint does not enforce the server-side password policy, allowing an invited user to set an arbitrarily weak password during initial account setup despite UI client-s...
CVE-2023-36827
CVE-2023-36827 (Fides) : A path traversal vulnerability affects Fides webserver in versions below 2.15.1, enabling remote attackers to access arbitrary files on the webserver container filesystem. The issue is fixed in 2.15.1. If the webserver API is behind a reverse proxy and the proxy is an AWS...
CVE-2024-38537
Fides (Ethical) vulnerability CVE-2024-38537 affects the client-side script fides.js, which in a limited edge case used the polyfill.io domain to support legacy browsers (IE11) lacking fetch. If the polyfill.io domain was compromised, legacy-browser users could download and execute malicious scri...
CVE-2024-35189
Fides vulnerability CVE-2024-35189 affects the BigQuery connection configuration secrets, where a bug in masking nested sensitive fields allowed plaintext exposure via API endpoints. Affected component: BigQuerySchema secrets structure containing keyfile_creds.private_key exposed in plaintext acr...
CVE-2023-46125
CVE-2023-46125 affects the Fides open-source privacy platform. The vulnerability arises in the webserver API’s GET /api/v1/config endpoint, where configuration data is returned with sensitive internals and backend details (e.g., settings, server addresses/ports, database username) despite filteri...
CVE-2023-48224
CVE-2023-48224 affects Fides (Privacy Center) where one-time verification codes are generated using Python’s weak random module. The root cause is a cryptographically weak pseudo-random number generator, allowing an attacker who observes several hundred codes to predict future codes within the ba...
CVE-2023-46124
CVE-2023-46124 affects the Fides web application. Specially crafted YAML dataset/configs uploaded as a ZIP can trigger Server-Side Request Forgery, allowing a malicious user to issue arbitrary requests to internal resources (including localhost) and exfiltrate data. The root cause is inadequate v...
CVE-2023-46126
CVE-2023-46126 affects Fides: a JavaScript injection risk in the privacy policy URL editable by Admin UI users with contributor+ permissions. The flaw allows crafting a payload in the privacy policy URL that executes JavaScript when the privacy notice is served by an integrated website; the execu...
CVE-2024-34715
CVE-2024-34715 affects the Fides webserver, where an improper escaping of the SQLAlchemy password string can cause the database password to be partially exposed in webserver logs when the password contains characters like @ or $. This is due to insufficient escaping of the password in the connect...
CVE-2024-45052
Affected software : Fides Webserver authentication (part of the Fides platform). Vulnerability : timing-based username enumeration where an unauthenticated attacker can deduce valid usernames by measuring login response times. Root cause / mechanics : observable timing discrepancy between respons...
CVE-2025-57817
The CVE describes a privilege-escalation flaw in Fides: before version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment, allowing users with client:create or client:update permissions to elevate to owner-level. Affected c...
CVE-2025-57815
CVE-2025-57815 (Fides) describes a lack of anti-automation protections on the Admin UI login endpoint prior to version 2.69.1, enabling brute-force style credential testing (credential stuffing/password spraying) against accounts with weak or compromised passwords. Affected product: Fides (Open S...
CVE-2025-57816
CVE-2025-57816 concerns the Fides Webserver API rate limiting. The issue arises in deployments that rely on the built‑in IP‑based rate limiter in proxied environments (CDNs, proxies, load balancers): limits are applied to the immediate connection IP rather than the client IP, and counters are sto...
CVE-2025-57766
CVE-2025-57766 affects the Fides open-source privacy engineering platform. Prior to version 2.69.1, when an admin UI password is changed, existing active sessions are not invalidated, allowing an attacker who has obtained a valid session token (for example via XSS or other vector) to maintain acc...