PyPI package
ethyca-fides
pkg:pypi/ethyca-fides
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44541 | hig | — | >= 2.33.0, < 2.84.5 | 2.84.5 | May 14, 2026 | ### Summary `fides.js` is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted d | |
| CVE-2026-42303 | Med | — | >= 2.75.0, < 2.83.2 | 2.83.2 | May 12, 2026 | Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request who | |
| CVE-2025-57817 | — | < 2.69.1 | 2.69.1 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permiss | ||
| CVE-2025-57816 | — | < 2.69.1 | 2.69.1 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected inf | ||
| CVE-2025-57766 | — | < 2.69.1 | 2.69.1 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vecto | ||
| CVE-2025-57815 | — | < 2.69.1 | 2.69.1 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could all | ||
| CVE-2024-52008 | — | < 2.50.0 | 2.50.0 | Nov 26, 2024 | Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirement | ||
| CVE-2024-45053 | — | >= 2.19.0, < 2.44.0 | 2.44.0 | Sep 4, 2024 | Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants | ||
| CVE-2024-45052 | — | < 2.44.0 | 2.44.0 | Sep 4, 2024 | Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyz | ||
| CVE-2024-31223 | — | >= 2.19.0, < 2.39.2 | 2.39.2 | Jul 3, 2024 | Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes | ||
| CVE-2024-38537 | — | < 2.39.1 | 2.39.1 | Jul 2, 2024 | Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support th | ||
| CVE-2024-35189 | — | < 2.37.0 | 2.37.0 | May 30, 2024 | Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored e | ||
| CVE-2024-34715 | — | < 2.37.0 | 2.37.0 | May 29, 2024 | Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` a | ||
| CVE-2023-48224 | — | < 2.24.0 | 2.24.0 | Nov 15, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to da | ||
| CVE-2023-47114 | — | >= 2.15.1, < 2.23.3 | 2.23.3 | Nov 8, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal | ||
| CVE-2023-46124 | — | < 2.22.1 | 2.22.1 | Oct 24, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing co | ||
| CVE-2023-46125 | — | < 2.22.1 | 2.22.1 | Oct 24, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config | ||
| CVE-2023-46126 | — | < 2.22.1 | 2.22.1 | Oct 24, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The | ||
| CVE-2023-41319 | — | >= 2.11.0, < 2.19.0 | 2.19.0 | Sep 6, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file | ||
| CVE-2023-37480 | — | >= 2.11.0, < 2.16.0 | 2.16.0 | Jul 18, 2023 | Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a ma |
- affected >= 2.33.0, < 2.84.5fixed 2.84.5
### Summary `fides.js` is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted d
- affected >= 2.75.0, < 2.83.2fixed 2.83.2
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request who
- CVE-2025-57817Sep 8, 2025affected < 2.69.1fixed 2.69.1
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permiss
- CVE-2025-57816Sep 8, 2025affected < 2.69.1fixed 2.69.1
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected inf
- CVE-2025-57766Sep 8, 2025affected < 2.69.1fixed 2.69.1
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vecto
- CVE-2025-57815Sep 8, 2025affected < 2.69.1fixed 2.69.1
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could all
- CVE-2024-52008Nov 26, 2024affected < 2.50.0fixed 2.50.0
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirement
- CVE-2024-45053Sep 4, 2024affected >= 2.19.0, < 2.44.0fixed 2.44.0
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants
- CVE-2024-45052Sep 4, 2024affected < 2.44.0fixed 2.44.0
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyz
- CVE-2024-31223Jul 3, 2024affected >= 2.19.0, < 2.39.2fixed 2.39.2
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes
- CVE-2024-38537Jul 2, 2024affected < 2.39.1fixed 2.39.1
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support th
- CVE-2024-35189May 30, 2024affected < 2.37.0fixed 2.37.0
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored e
- CVE-2024-34715May 29, 2024affected < 2.37.0fixed 2.37.0
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` a
- CVE-2023-48224Nov 15, 2023affected < 2.24.0fixed 2.24.0
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to da
- CVE-2023-47114Nov 8, 2023affected >= 2.15.1, < 2.23.3fixed 2.23.3
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal
- CVE-2023-46124Oct 24, 2023affected < 2.22.1fixed 2.22.1
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing co
- CVE-2023-46125Oct 24, 2023affected < 2.22.1fixed 2.22.1
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config
- CVE-2023-46126Oct 24, 2023affected < 2.22.1fixed 2.22.1
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The
- CVE-2023-41319Sep 6, 2023affected >= 2.11.0, < 2.19.0fixed 2.19.0
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file
- CVE-2023-37480Jul 18, 2023affected >= 2.11.0, < 2.16.0fixed 2.16.0
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a ma
Page 1 of 2