Description
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
Details
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| github.com/zitadel/zitadel | — | — |
| zitadel | 2.48.0 | 2.48.3 |
References
Similar Threats
- Critical CVE-2025-27507
- Medium CVE-2024-49753
- High CVE-2024-49757
- High CVE-2024-46999
- High CVE-2024-47000
Site Security Check
Concerned your site may already be targeted?
BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.
Check My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.