CVE-2024-28855
CVSS 3.1 Score 8.1 of 10 (high)
Details
Summary
CVE-2024-28855 affects ZITADEL's authentication management software, where the login UI uses Go templates instead of the intended html/templates package. This misconfiguration resulted in the input parameters being unsanitized prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could exploit this by creating a malicious link containing injected code that would be rendered as part of the login screen. Although HTML and JavaScript could be injected, their execution was blocked by the Content Security Policy. The vulnerability is patched in versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15, with no known workarounds available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions