Lucene search

Veracode Vulnerability DatabaseVERACODE:44206

HistoryNov 09, 2023 - 7:43 a.m.

HTML Injection

2023-11-0907:43:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

ethyca-fides

html injection

input validation

connected systems

data stores

phishing attacks

js execution

rogue admin ui users

data subject user

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.5%

JSON

ethyca-fides is vulnerable to HTML Injection. The vulnerability arises due lack of of input validation coming from connected systems and data stores which is reflected in the downloaded data. This results in an HTML injection that can be abused to perform phishing attacks or malicious JS execution. Exploitation is limited to rogue admin UI users, malicious connected system and data subject user if tricked via a phishing attack.

CPENameOperatorVersion
ethyca-fidesle2.23.1b0
ethyca-fidesle2.23.1b0

CPE	Name	Operator	Version
	ethyca-fides	le	2.23.1b0
	ethyca-fides	le	2.23.1b0

References

github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1

github.com/ethyca/fides/releases/tag/2.23.3

github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.5%

JSON

Related for VERACODE:44206