CVE-2024-28855

Summary

CVE-2024-28855 is a vulnerability found in ZITADEL, an open source authentication management software. The software uses Go templates to render the login UI, but prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15, it improperly used the `text/template` package instead of the `html/template` package, resulting in the Login UI not sanitizing input parameters correctly. This allowed an attacker to inject malicious code through a specially crafted link that would be rendered on the login screen, although execution of JavaScript was prevented by the Content Security Policy in place. The issue has been patched in versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2. 42. 15, and 2. 41. 15. No known workarounds are available for this vulnerability at this time. The potential danger this vulnerability poses to organizations is high as it allows an attacker to inject code into the login screen of ZITADEL software and potentially compromise user credentials or gain unauthorized access to the system or sensitive data present within it. Source: [email protected]

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.