ZITADEL vulnerable to improper HTML sanitization
Description
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadelGo | >= 1.80.1, < 2.41.15 | 2.41.15 |
github.com/zitadel/zitadelGo | >= 2.42.0, < 2.42.15 | 2.42.15 |
github.com/zitadel/zitadelGo | >= 2.43.0, < 2.43.9 | 2.43.9 |
github.com/zitadel/zitadelGo | >= 2.44.0, < 2.44.3 | 2.44.3 |
github.com/zitadel/zitadelGo | >= 2.45.0, < 2.45.1 | 2.45.1 |
github.com/zitadel/zitadelGo | >= 2.46.0, < 2.46.1 | 2.46.1 |
github.com/zitadel/zitadelGo | >= 2.47.0, < 2.47.4 | 2.47.4 |
github.com/zitadel/zitadelGo | < 0.0.0-20240311065202-07ec2efa9dc6 | 0.0.0-20240311065202-07ec2efa9dc6 |
github.com/zitadel/zitadelGo | >= 0.0.0, < 1.80.0-v2.20.0.20240311065202-07ec2efa9dc6 | 1.80.0-v2.20.0.20240311065202-07ec2efa9dc6 |
Affected products
1Patches
107ec2efa9dc6fix: use correct template package (#7522)
1 file changed · +1 −1
internal/renderer/renderer.go+1 −1 modified@@ -2,10 +2,10 @@ package renderer import ( "context" + "html/template" "io/ioutil" "net/http" "os" - "text/template" "github.com/zitadel/logging" "golang.org/x/text/language"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-hfrg-4jwr-jfpjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28855ghsaADVISORY
- github.com/zitadel/zitadel/commit/07ec2efa9dc62f7a6c3a58c112b2879d24bc3e3cghsaWEB
- github.com/zitadel/zitadel/releases/tag/v2.41.15ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.42.15ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.43.9ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.44.3ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.45.1ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.46.1ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.47.3ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.