Vulnerability Report: GO-2024-2655

  • CVE-2024-28855, GHSA-hfrg-4jwr-jfpj
  • Affects: github.com/zitadel/zitadel
  • Published: Mar 27, 2024
  • Modified: Jul 09, 2024

The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.

For detailed information about this vulnerability, visit https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj.

Affected Packages

  • Path
    Go Versions
    Custom Versions*
    Symbols
  • github.com/zitadel/zitadel/internal/renderer
    before v1.80.0-v2.20.0.20240312162750-5908b97e7c22
    before 2.41.15, from 2.42.0 before 2.42.15, from 2.43.0 before 2.43.9, from 2.44.0 before 2.44.3, from 2.45.0 before 2.45.1, from 2.46.0 before 2.46.1, from 2.47.0 before 2.47.4
    all symbols

*Custom versions, which can't be mapped automatically to standard Go module versions, are ignored by govulncheck. (See this note on versions for more details.)

Aliases

References

Credits

  • Daniel Philipp (OWT) and Thomas Wickham (Synopsis)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.