Headline

GHSA-hr5w-cwwq-2v4m: ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

Impact

ZITADEL users can upload their own avatar image and various image types are allowed.

Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim’s account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work.

The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code.

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at [email protected]

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

5 months ago

ghsa

Open in Source

#xss #vulnerability #ios #git #chrome #firefox

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

GitHub Advisory Database
GitHub Reviewed
CVE-2024-29891

ZITADEL’s Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

High severity GitHub Reviewed Published Mar 27, 2024 in zitadel/zitadel • Updated Mar 28, 2024

Package

gomod github.com/zitadel/zitadel (Go)

Affected versions

< 2.42.17

>= 2.43.0, < 2.43.11

>= 2.44.0, < 2.44.7

>= 2.45.0, < 2.45.5

>= 2.46.0, < 2.46.5

>= 2.47.0, < 2.47.8

>= 2.48.0, < 2.48.3

Patched versions

2.42.17

2.43.11

2.44.7

2.45.5

2.46.5

2.47.8

2.48.3

Description

Published to the GitHub Advisory Database

Mar 28, 2024

Last updated

Mar 28, 2024

ghsa: Latest News

GHSA-rxq8-q85f-m866: Prevent XSS from Confidant API call

14 hours ago

ghsa

GHSA-58vj-cv5w-v4v6: Navidrome has Multiple SQL Injections and ORM Leak

15 hours ago

ghsa

GHSA-73rg-f94j-xvhx: Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes

15 hours ago

ghsa

GHSA-9hf4-67fc-4vf4: Puma's header normalization allows for client to clobber proxy set headers

16 hours ago

ghsa

GHSA-w69q-w4h4-2fx8: Reverb use after free vulnerability

1 day ago

ghsa