Safety vulnerability ID: 63526
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Ethyca-fides 2.22.1 addresses the moderate severity vulnerability CVE-2023-46126. This issue affected versions of Fides before 2.22.1, where the privacy policy URL field in consent and privacy notices was not properly validated. Malicious users with contributor access or higher could exploit this to execute arbitrary JavaScript on integrated websites. The patch now properly sanitizes input, preventing such attacks. https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83
Latest version: 2.51.1
Open-source ecosystem for data privacy as code.
Release Pull Request
https://github.com/ethyca/fides/pull/4316
What's Changed
* Custom fields are now included in system history change tracking by galvana in [4294](https://github.com/ethyca/fides/pull/4294)
* Added hostname checks for external SaaS connector URLs [CVE-2023-46124](https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4) by ThomasLaPiana
* Use a Pydantic URL type for privacy policy URLs [CVE-2023-46126](https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83) by ThomasLaPiana
* Remove the CONFIG_READ scope from the Viewer role [CVE-2023-46125](https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89) by ThomasLaPiana
**Full Changelog**: https://github.com/ethyca/fides/compare/2.22.0...2.22.1
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application