Skip to main content

Fides CVE-2023-46126

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-10-25 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 18:17 nvd
MEDIUM 5.4

DescriptionNVD

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version 2.22.1.

AnalysisAI

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version 2.22.1. Affected products include: Ethyca Fides.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Fides

View all
CVE-2024-45053 HIGH POC
7.2 Sep 04

Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2024-35189 MEDIUM POC
6.5 May 30

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-38537 CRITICAL
9.8 Jul 02

Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2024-45052 MEDIUM POC
5.3 Sep 04

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e

CVE-2024-31223 MEDIUM POC
5.3 Jul 03

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env

CVE-2023-48224 CRITICAL
9.1 Nov 15

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-36827 HIGH
7.5 Jul 05

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2024-34715 LOW POC
3.3 May 29

Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co

CVE-2023-46124 HIGH
7.2 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

CVE-2023-41319 HIGH
7.2 Sep 06

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-46125 MEDIUM
6.5 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-47114 MEDIUM
6.1 Nov 08

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti

Share

CVE-2023-46126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy