H0Wl

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.50.0 **Description** The user invite acceptance API endpoint `/api/v1/user/accept-invite` lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process, making it easily compromisable by an attacker guessing or brute forcing the password. **Recommendations** For Fides versions prior to 2.50.0, upgrade to version 2.50.0 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the `/api/v1/user/accept-invite` API endpoint until the patch is applied. Avoid using weak passwords for new user accounts until the issue is resolved. There are no other known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.23.3 **Description** The Fides web application is vulnerable to an HTML injection issue due to the lack of validation of input coming from connected systems and data stores. This can result in malicious JavaScript code execution or phishing attacks when a data subject user accesses an HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system or data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. **Recommendations** For versions prior to 2.23.3, upgrade to version 2.23.3 or later to secure the system against this threat. As a temporary workaround, consider configuring the storage destination to use `json` or `csv` instead of `html` as the package format to eliminate this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.22.1 **Description** The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This issue allows Admin UI users with roles lower than the owner role, e.g., the viewer role, to retrieve the config information using the API. **Recommendations** For Fides versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the `GET api/v1/config` endpoint to minimize the risk of exploitation.