CVE-2024-28855

CVSS 3.1 Score 8.1 of 10 (high)

Details

Published Mar 18, 2024
Updated: Mar 19, 2024
CWE ID 20

Summary

CVE-2024-28855 affects ZITADEL's authentication management software, where the login UI uses Go templates instead of the intended html/templates package. This misconfiguration resulted in the input parameters being unsanitized prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could exploit this by creating a malicious link containing injected code that would be rendered as part of the login screen. Although HTML and JavaScript could be injected, their execution was blocked by the Content Security Policy. The vulnerability is patched in versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15, with no known workarounds available.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-28855 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions