User-Uploaded Avatar Image Vulnerability in ZITADEL by ZITADEL
CVE-2024-29891

8.7HIGH

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
27 March 2024

Summary

A flaw in the ZITADEL platform allows for the upload of avatar images without adequate validation. An attacker can exploit this to upload malicious HTML disguised as an image, potentially leading to unauthorized access to a user's account. This exploit necessitates that the victim must open the malicious image while logged into ZITADEL, which currently affects users of the Firefox browser. Chrome, Safari, and Edge are not vulnerable to this attack. The issue has been addressed in various updates, including versions 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

References

https://github.com/zitadel/zitadel/security/advisories/GH...
https://github.com/zitadel/zitadel/releases/tag/v2.42.17
https://github.com/zitadel/zitadel/releases/tag/v2.43.11

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.
CVE-2024-29891 : User-Uploaded Avatar Image Vulnerability in ZITADEL by ZITADEL | SecurityVulnerability.io