Zitadel up to 2.58.0 cross site scripting

Summaryinfo

A vulnerability was found in Zitadel up to 2.58.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. Such manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-41953. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Zitadel up to 2.58.0. It has been rated as problematic. Affected by this issue is an unknown code. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. CVE summarizes:

Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user's detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2024-41953 since 07/24/2024. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Upgrading to version 2.52.3, 2.53.9, 2.54.8, 2.55.5, 2.56.2, 2.57.1 or 2.58.1 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19
• 2.20
• 2.21
• 2.22
• 2.23
• 2.24
• 2.25
• 2.26
• 2.27
• 2.28
• 2.29
• 2.30
• 2.31
• 2.32
• 2.33
• 2.34
• 2.35
• 2.36
• 2.37
• 2.38
• 2.39
• 2.40
• 2.41
• 2.42
• 2.43
• 2.44
• 2.45
• 2.46
• 2.47
• 2.48
• 2.49
• 2.50
• 2.51
• 2.52
• 2.52.0
• 2.52.1
• 2.52.2
• 2.53
• 2.53.0
• 2.53.1
• 2.53.2
• 2.53.3
• 2.53.4
• 2.53.5
• 2.53.6
• 2.53.7
• 2.53.8
• 2.54
• 2.54.0
• 2.54.1
• 2.54.2
• 2.54.3
• 2.54.4
• 2.54.5
• 2.54.6
• 2.54.7
• 2.55
• 2.55.0
• 2.55.1
• 2.55.2
• 2.55.3
• 2.55.4
• 2.56
• 2.56.0
• 2.56.1
• 2.57
• 2.57.0
• 2.58.0

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion