5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.6%
ethyca-fides is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to a lack of proper validation in the privacy_experience.py
, which results in inadequate verification of privacy policy URLs. This flaw allows an attacker to create a malicious payload in the privacy policy URL. When this manipulated privacy notice is served by an integrated website, it can trigger JavaScript execution. It’s important to note that exploitation is limited to Admin UI users with the contributor role or higher.
CPE | Name | Operator | Version |
---|---|---|---|
ethyca-fides | le | 2.22.1rc1 | |
ethyca-fides | le | 2.22.1rc1 |
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.6%