4 matches found
Session Hijacking
github.com/zitadel/zitadel is vulnerable to Session Hijacking. The vulnerability is due to insufficient validation of reused IdP intents via repeated IdP intent exploitation, allowing attackers with access to the application's URI to retrieve authentication tokens and impersonate users...
CVE-2025-46815
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id...
CVE-2025-46815
ZITADEL Session API vulnerability (CVE-2025-46815) allows token/id reuse from idp intents prior to versions 3.0.0, 2.71.9, and 2.70.10. An attacker with URI access could obtain the id and token and authenticate on behalf of the user. MFA prevents full authentication, but this exposes a partial au...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the Session API. An attacker can authenticate on behalf of the user by repeatedly using idp intents to retrieve the id and token from the application's URI. Remediation Upgrade...