User-Uploaded Avatar Image Vulnerability in ZITADEL by ZITADEL
CVE-2024-29891

8.7HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-29891?

A flaw in the ZITADEL platform allows for the upload of avatar images without adequate validation. An attacker can exploit this to upload malicious HTML disguised as an image, potentially leading to unauthorized access to a user's account. This exploit necessitates that the victim must open the malicious image while logged into ZITADEL, which currently affects users of the Firefox browser. Chrome, Safari, and Edge are not vulnerable to this attack. The issue has been addressed in various updates, including versions 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/zitadel/zitadel/security/advisories/GH...

https://github.com/zitadel/zitadel/releases/tag/v2.42.17

https://github.com/zitadel/zitadel/releases/tag/v2.43.11

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 27, 2024

JSON

Zitadel

What is CVE-2024-29891?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.