VYPR
High severityNVD Advisory· Published Mar 18, 2024· Updated Aug 13, 2024

ZITADEL vulnerable to improper HTML sanitization

CVE-2024-28855

Description

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/zitadel/zitadelGo
>= 1.80.1, < 2.41.152.41.15
github.com/zitadel/zitadelGo
>= 2.42.0, < 2.42.152.42.15
github.com/zitadel/zitadelGo
>= 2.43.0, < 2.43.92.43.9
github.com/zitadel/zitadelGo
>= 2.44.0, < 2.44.32.44.3
github.com/zitadel/zitadelGo
>= 2.45.0, < 2.45.12.45.1
github.com/zitadel/zitadelGo
>= 2.46.0, < 2.46.12.46.1
github.com/zitadel/zitadelGo
>= 2.47.0, < 2.47.42.47.4
github.com/zitadel/zitadelGo
< 0.0.0-20240311065202-07ec2efa9dc60.0.0-20240311065202-07ec2efa9dc6
github.com/zitadel/zitadelGo
>= 0.0.0, < 1.80.0-v2.20.0.20240311065202-07ec2efa9dc61.80.0-v2.20.0.20240311065202-07ec2efa9dc6

Affected products

2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.