x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953

[GoVulnBot]

Advisory CVE-2024-41953 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:
Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user's detail page, the username was als...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41953
• FIX: zitadel/zitadel@0e1f99e
• FIX: zitadel/zitadel@38da602
• FIX: zitadel/zitadel@4b59cac
• FIX: zitadel/zitadel@c1a3fc7
• FIX: zitadel/zitadel@c353f82
• FIX: zitadel/zitadel@d04ac6d
• FIX: zitadel/zitadel@f846616
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.52.3
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.53.9
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.54.8
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.55.5
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.56.2
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.57.1
• WEB: https://github.com/zitadel/zitadel/releases/tag/v2.58.1
• WEB: GHSA-v333-7h2p-5fhv

Cross references:

• github.com/zitadel/zitadel appears in 13 other report(s):
  • data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
  • data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
  • data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
  • data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
  • data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
  • data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
  • data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
  • data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
  • data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
  • data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
summary: CVE-2024-41953 in github.com/zitadel/zitadel
cves:
    - CVE-2024-41953
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41953
    - fix: https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747
    - fix: https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b
    - fix: https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f
    - fix: https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7
    - fix: https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2
    - fix: https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923
    - fix: https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.52.3
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.53.9
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.54.8
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.55.5
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.56.2
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.57.1
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.58.1
    - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv
source:
    id: CVE-2024-41953
    created: 2024-07-31T18:01:11.73054401Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports