SCA: security update for github.com/zitadel/zitadel (GHSA-v333-7h2p-5fhv)

medium Tenable Cloud Security Plugin ID 419025

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain
information such as usernames dynamically. That information can be entered by users or administrators. Due
to a missing output sanitization, these emails could include malicious code. This may potentially lead to
a threat where an attacker, without privileges, could send out altered notifications that are part of the
registration processes. An attacker could create a malicious link, where the injected code would be
rendered as part of the email. On the user's detail page, the username was also not sanitized and would
also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML
including javascript, the execution of such scripts would be prevented by most email clients and the
Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5,
2.54.8 2.53.9, and 2.52.3. (CVE-2024-41953)

See Also

https://github.com/advisories/GHSA-v333-7h2p-5fhv

Plugin Details

Severity: Medium

ID: 419025

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-41953

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/31/2024

Vulnerability Publication Date: 7/31/2024

Reference Information

CVE: CVE-2024-41953

cwe: CWE-79