ZITADEL Authentication Management Software Vulnerability
CVE-2024-28855

6.1MEDIUM

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
18 March 2024

What is CVE-2024-28855?

ZITADEL, an open-source authentication management software, has an injection vulnerability stemming from the improper usage of the 'text/template' package instead of the 'html/template' package in its login UI. This flaw enables an attacker to craft a malicious link that injects code which the login screen could render. Although the execution of potentially harmful scripts, including HTML and JavaScript, would be obstructed by the Content Security Policy, this vulnerability remains a risk for earlier versions such as 2.41.15 through 2.47.3. Users are encouraged to upgrade to the patched releases to mitigate this issue. Currently, there are no known workarounds available.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

zitadel < 2.41.15 < 2.41.15

zitadel >= 2.42.0, < 2.42.15 < 2.42.0, 2.42.15

zitadel >= 2.43.0, < 2.43.9 < 2.43.0, 2.43.9

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.41.15
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.42.15
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.