{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ethyca-fides/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fides.js","ethyca-fides"],"_cs_severities":["high"],"_cs_tags":["xss","dom-xss","ghsa","ethyca-fides"],"_cs_type":"advisory","_cs_vendors":["ethyca"],"content_html":"\u003cp\u003eA DOM-based XSS vulnerability has been identified in \u003ccode\u003efides.js\u003c/code\u003e, the script used for rendering consent banners in Fides Enterprise deployments. The vulnerability (CVE-2026-44541) stems from a trust gap between the override mechanism, which allows banner fields like the description text to be modified via URL parameters, JavaScript globals, or cookies, and the HTML-formatted descriptions feature. When the \u003ccode\u003eFIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION\u003c/code\u003e flag is enabled, the overridden description is rendered as live HTML without proper server-side sanitization, allowing attackers to inject arbitrary JavaScript code via a crafted link. This issue affects Fides Enterprise deployments using \u003ccode\u003efides.js\u003c/code\u003e with HTML-formatted banner descriptions enabled. This allows attackers to execute arbitrary JavaScript code in the embedding site\u0026rsquo;s origin. The vulnerability was patched in \u003ccode\u003eethyca/fides-privacy-center:2.84.5\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL containing JavaScript code within the \u003ccode\u003efides_description\u003c/code\u003e parameter (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=\u0026quot;alert(\\\u003c/code\u003eDOM XSS in fides_description. Origin: ${document.domain}`)\u0026quot;\u0026gt;`).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL to potential victims through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eA victim clicks on the malicious URL, which loads the page where the consent banner is supposed to render.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efides.js\u003c/code\u003e retrieves the malicious JavaScript code from the \u003ccode\u003efides_description\u003c/code\u003e parameter in the URL.\u003c/li\u003e\n\u003cli\u003eBecause HTML-formatted descriptions are enabled (\u003ccode\u003eFIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true\u003c/code\u003e), \u003ccode\u003efides.js\u003c/code\u003e renders the malicious JavaScript code as live HTML without sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code within the context of the embedding website\u0026rsquo;s origin.\u003c/li\u003e\n\u003cli\u003e(Optional) The attacker can leverage the XSS vulnerability to set a \u003ccode\u003efides_description\u003c/code\u003e cookie, which persists the payload across all subdomains until the cookie is cleared.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read and modify data, issue requests, and render malicious content that appears to come from the site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary JavaScript code within the embedding site\u0026rsquo;s origin, granting them the same privileges as the site\u0026rsquo;s own scripts. This could lead to the theft of sensitive user data, modification of website content, redirection of users to malicious sites, or execution of arbitrary actions on behalf of the user. The cookie-based persistence variant increases the impact, as a single click can result in a persistent payload affecting all subdomains until cookies are cleared. The severity is rated HIGH with a CVSS v4 score of 7.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eethyca-fides\u003c/code\u003e version 2.84.5 or later, or \u003ccode\u003efidesplus\u003c/code\u003e version 2.84.6, which contain the patch for CVE-2026-44541.\u003c/li\u003e\n\u003cli\u003eAs a workaround, set \u003ccode\u003eFIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=false\u003c/code\u003e on the Privacy Center container(s) to disable HTML-formatted descriptions, mitigating the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ethyca-fides fides.js DOM-based XSS Attempt\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the \u003ccode\u003efides_description\u003c/code\u003e parameter with HTML tags or JavaScript code to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T19:06:54Z","date_published":"2026-05-14T19:06:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ethyca-fides-xss/","summary":"A DOM-based XSS vulnerability (CVE-2026-44541) exists in ethyca-fides' fides.js script, allowing arbitrary JavaScript execution in the embedding site's origin via crafted links when HTML-formatted descriptions are enabled.","title":"ethyca-fides fides.js DOM-based XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-ethyca-fides-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Ethyca-Fides","version":"https://jsonfeed.org/version/1.1"}