CVE-2023-47114

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.23.3

Description The Fides web application is vulnerable to an HTML injection issue due to the lack of validation of input coming from connected systems and data stores. This can result in malicious JavaScript code execution or phishing attacks when a data subject user accesses an HTML page using the file:// protocol. Exploitation is limited to rogue Admin UI users, malicious connected system or data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves.

Recommendations For versions prior to 2.23.3, upgrade to version 2.23.3 or later to secure the system against this threat. As a temporary workaround, consider configuring the storage destination to use json or csv instead of html as the package format to eliminate this vulnerability.