2 matches found
GHSA-HR5W-CWWQ-2V4M ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
Impact ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed imag...
CVE-2024-29892 ZITADEL's actions can overload reserved claims
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. To compensate for this ...