Robertkeyser

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.44.0 **Description** A timing-based username enumeration vulnerability exists in Fides Webserver authentication, allowing an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This information can be used to conduct further attacks on authentication, such as password brute-forcing and credential stuffing. **Recommendations** To resolve the issue, upgrade to Fides version 2.44.0 or later. There are no workarounds for this vulnerability. As a temporary mitigation measure, consider restricting access to the authentication endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.24.0 **Description** The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. If `subject identity verification required` is set to `True`, data subjects are sent a one-time code to their email address or phone number. However, the one-time code values were generated by the python `random` module, a cryptographically weak pseudo-random number generator. This allows an attacker to predict all future one-time code values during the lifetime of the backend python process, enabling them to submit verified data erasure requests or modify a user's privacy preferences. **Recommendations** For Fides versions prior to 2.24.0, upgrade to version 2.24.0 or later to secure your system against this threat. As a temporary workaround, consider setting `subject identity verification required` to `False` to prevent the use of one-time codes until a patch is applied. However, this may reduce the security of the privacy and consent request process.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.23.3 **Description** The Fides web application is vulnerable to an HTML injection issue due to the lack of validation of input coming from connected systems and data stores. This can result in malicious JavaScript code execution or phishing attacks when a data subject user accesses an HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system or data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. **Recommendations** For versions prior to 2.23.3, upgrade to version 2.23.3 or later to secure the system against this threat. As a temporary workaround, consider configuring the storage destination to use `json` or `csv` instead of `html` as the package format to eliminate this vulnerability.