CVE-2024-28855 — XSS in github.com/zitadel/zitadel

Description

The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.

How to fix CVE-2024-28855

To remediate CVE-2024-28855, upgrade the affected package to a fixed version below.

Go/github.com/zitadel/zitadel—upgrade to 2.41.15 or later
Go/github.com/zitadel/zitadel—upgrade to 1.80.0-v2.20.0.20240312162750-5908b97e7c22 or later

Is CVE-2024-28855 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 1.80.1, < 2.41.15
from 0, < 1.80.0-v2.20.0.20240312162750-5908b97e7c22

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28855
PATCHgithub.com/zitadel/zitadel
WEBgithub.com/zitadel/zitadel/commit/07ec2efa9dc62f7a6c3a58c112b2879d24bc3e3c
WEBgithub.com/zitadel/zitadel/releases/tag/v2.41.15
WEB