ZITADEL vulnerable to improper HTML sanitization
Description
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadelGo | >= 1.80.1, < 2.41.15 | 2.41.15 |
github.com/zitadel/zitadelGo | >= 2.42.0, < 2.42.15 | 2.42.15 |
github.com/zitadel/zitadelGo | >= 2.43.0, < 2.43.9 | 2.43.9 |
github.com/zitadel/zitadelGo | >= 2.44.0, < 2.44.3 | 2.44.3 |
github.com/zitadel/zitadelGo | >= 2.45.0, < 2.45.1 | 2.45.1 |
github.com/zitadel/zitadelGo | >= 2.46.0, < 2.46.1 | 2.46.1 |
github.com/zitadel/zitadelGo | >= 2.47.0, < 2.47.4 | 2.47.4 |
github.com/zitadel/zitadelGo | < 0.0.0-20240311065202-07ec2efa9dc6 | 0.0.0-20240311065202-07ec2efa9dc6 |
github.com/zitadel/zitadelGo | >= 0.0.0, < 1.80.0-v2.20.0.20240311065202-07ec2efa9dc6 | 1.80.0-v2.20.0.20240311065202-07ec2efa9dc6 |
Affected products
2Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-hfrg-4jwr-jfpjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28855ghsaADVISORY
- github.com/zitadel/zitadel/commit/07ec2efa9dc62f7a6c3a58c112b2879d24bc3e3cghsaWEB
- github.com/zitadel/zitadel/releases/tag/v2.41.15ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.42.15ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.43.9ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.44.3ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.45.1ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.46.1ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/releases/tag/v2.47.3ghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.