CVE-2024-28855
📋 TL;DR
ZITADEL authentication management software versions before 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a cross-site scripting (XSS) vulnerability in the login UI due to improper input sanitization. Attackers can inject malicious HTML/JavaScript via crafted links, potentially compromising user sessions or stealing credentials. Organizations using vulnerable ZITADEL versions for authentication are affected.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals user credentials, hijacks sessions, or redirects users to phishing sites, potentially compromising authentication systems.
Likely Case
Limited impact due to Content Security Policy preventing JavaScript execution, but HTML injection could still create convincing phishing interfaces or UI manipulation.
If Mitigated
With proper Content Security Policy, JavaScript execution is blocked, reducing risk to HTML injection only for UI manipulation.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is technically simple once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, or 2.41.15
Vendor Advisory: https://github.com/zitadel/zitadel/releases
Restart Required: Yes
Instructions:
1. Identify current ZITADEL version. 2. Upgrade to the appropriate patched version for your release line. 3. Restart ZITADEL services. 4. Verify the fix by testing login UI.
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to block inline JavaScript execution.
- Monitor for suspicious login attempts and unusual login UI modifications.
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version against affected versions list. If running version older than patched releases, system is vulnerable.Check Version:
Check ZITADEL configuration files or use 'zitadel version' command if available in deployment.Verify Fix Applied:
After patching, verify version is 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, or 2.41.15 or newer. Test login UI with basic XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual login attempts with long or encoded parameters
- Requests containing HTML/JavaScript patterns in login parameters
Network Indicators:
- HTTP requests to login endpoints with suspicious parameter values
- User agents reporting unexpected login UI behavior
SIEM Query:
source="zitadel" AND (url="*/login*" OR url="*/auth*") AND (param="*<script>*" OR param="*javascript:*" OR param_length>1000)🔗 References
- https://github.com/zitadel/zitadel/releases/tag/v2.41.15
- https://github.com/zitadel/zitadel/releases/tag/v2.42.15
- https://github.com/zitadel/zitadel/releases/tag/v2.43.9
- https://github.com/zitadel/zitadel/releases/tag/v2.44.3
- https://github.com/zitadel/zitadel/releases/tag/v2.45.1
- https://github.com/zitadel/zitadel/releases/tag/v2.46.1
- https://github.com/zitadel/zitadel/releases/tag/v2.47.3
- https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj
- https://github.com/zitadel/zitadel/releases/tag/v2.41.15
- https://github.com/zitadel/zitadel/releases/tag/v2.42.15
- https://github.com/zitadel/zitadel/releases/tag/v2.43.9
- https://github.com/zitadel/zitadel/releases/tag/v2.44.3
- https://github.com/zitadel/zitadel/releases/tag/v2.45.1
- https://github.com/zitadel/zitadel/releases/tag/v2.46.1
- https://github.com/zitadel/zitadel/releases/tag/v2.47.3
- https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj
