ZITADEL Authentication Management Software Vulnerability
CVE-2024-28855

6.1MEDIUM

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
18 March 2024

Summary

ZITADEL, an open-source authentication management software, has an injection vulnerability stemming from the improper usage of the 'text/template' package instead of the 'html/template' package in its login UI. This flaw enables an attacker to craft a malicious link that injects code which the login screen could render. Although the execution of potentially harmful scripts, including HTML and JavaScript, would be obstructed by the Content Security Policy, this vulnerability remains a risk for earlier versions such as 2.41.15 through 2.47.3. Users are encouraged to upgrade to the patched releases to mitigate this issue. Currently, there are no known workarounds available.

Affected Version(s)

zitadel < 2.41.15 < 2.41.15

zitadel >= 2.42.0, < 2.42.15 < 2.42.0, 2.42.15

zitadel >= 2.43.0, < 2.43.9 < 2.43.0, 2.43.9

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.41.15
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.42.15
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.