CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
26.9%
ethyca-fides is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to a lack of proper validation in the privacy_experience.py
, which results in inadequate verification of privacy policy URLs. This flaw allows an attacker to create a malicious payload in the privacy policy URL. When this manipulated privacy notice is served by an integrated website, it can trigger JavaScript execution. It’s important to note that exploitation is limited to Admin UI users with the contributor role or higher.