CVE-2023-46126

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.22.1

Description The Fides web application allows users to edit consent and privacy notices, such as cookie banners. A vulnerability exists where a crafted payload in the privacy policy URL can trigger JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher.

Recommendations For versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the Admin UI for users with the contributor role or higher until the upgrade is applied. Avoid using the privacy policy URL field in the Fides web application until the issue is resolved.