CVE-2024-28855

Summary

CVE-2024-28855 affects ZITADEL's authentication management software, where the login UI uses Go templates instead of the intended html/templates package. This misconfiguration resulted in the input parameters being unsanitized prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could exploit this by creating a malicious link containing injected code that would be rendered as part of the login screen. Although HTML and JavaScript could be injected, their execution was blocked by the Content Security Policy. The vulnerability is patched in versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15, with no known workarounds available.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.