Thabofletcher

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. Admin UI user password changes do not invalidate active user sessions prior to version 2.69.1, creating a vulnerability chaining opportunity. Attackers who have obtained session tokens through other attack vectors, such as cross-site scripting (XSS), can maintain access even after a password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens. Recommendations: Upgrade to version 2.69.1 or later.

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. The Admin UI login endpoint relies on a general IP-based rate limit and lacks specific anti-automation controls, potentially allowing attackers to conduct credential testing attacks, such as credential stuffing or password spraying, against accounts with weak or previously compromised passwords. Recommendations: Update to version 2.69.1 or later. For organizations with Fides Enterprise licenses, configure Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) and disable username/password authentication.