8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29891

CVE-2024-29891: ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

Impact

ZITADEL users can upload their own avatar image and various image types are allowed.

Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work.

The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code.

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-29891

CVE-2024-29891:

8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	< 2.42.17	2.42.17
github.com/zitadel/zitadel	go	>= 2.43.0, < 2.43.11	2.43.11
github.com/zitadel/zitadel	go	>= 2.44.0, < 2.44.7	2.44.7
github.com/zitadel/zitadel	go	>= 2.45.0, < 2.45.5	2.45.5
github.com/zitadel/zitadel	go	>= 2.46.0, < 2.46.5	2.46.5
github.com/zitadel/zitadel	go	>= 2.47.0, < 2.47.8	2.47.8
github.com/zitadel/zitadel	go	>= 2.48.0, < 2.48.3	2.48.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper MIME type validation during file uploads. The patch notes explicitly mention adding 'detect mime type of uploaded asset' as a fix, indicating the original implementation lacked proper content sniffing. The vulnerability pattern matches functions handling file uploads without server-side content-type verification, which would normally prevent HTML files from being stored as images. The cross-version consistency of the fix (same commit message across all patched versions) strongly suggests a centralized upload handling function was vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-29891: ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

Impact

Patches

Workarounds

References

Questions

Credits

CVE-2024-29891:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

8.7

8.7

Basic Information

Basic Information

CVE-2024-29891: ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

Impact

Patches

Workarounds

References

Questions

Credits

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI