blob: 41f7d2f1304ef9aac3a2c7b102cb3df5cb6a870d [file] [log] [blame]
id: GO-2024-2665
modules:
- module: github.com/zitadel/zitadel
non_go_versions:
- fixed: 2.42.17
- introduced: 2.43.0
- fixed: 2.43.11
- introduced: 2.44.0
- fixed: 2.44.7
- introduced: 2.45.0
- fixed: 2.45.5
- introduced: 2.46.0
- fixed: 2.46.5
- introduced: 2.47.0
- fixed: 2.47.8
- introduced: 2.48.0
- fixed: 2.48.3
vulnerable_at: 1.87.5
summary: |-
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored
XSS + CSP Bypass in github.com/zitadel/zitadel
cves:
- CVE-2024-29891
ghsas:
- GHSA-hr5w-cwwq-2v4m
references:
- advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29891
- web: https://github.com/zitadel/zitadel/releases/tag/v2.42.17
- web: https://github.com/zitadel/zitadel/releases/tag/v2.43.11
- web: https://github.com/zitadel/zitadel/releases/tag/v2.44.7
- web: https://github.com/zitadel/zitadel/releases/tag/v2.45.5
- web: https://github.com/zitadel/zitadel/releases/tag/v2.46.5
- web: https://github.com/zitadel/zitadel/releases/tag/v2.47.8
- web: https://github.com/zitadel/zitadel/releases/tag/v2.48.3
source:
id: GHSA-hr5w-cwwq-2v4m
created: 2024-08-16T16:20:34.214998-04:00
review_status: UNREVIEWED