CVE-2024-41953: 
Chainguard vulnerability analysis and mitigation

CVE-2024-41953 affects Zitadel, an open source identity management system. The vulnerability was discovered and disclosed on July 31, 2024, and involves improper HTML sanitization in emails and the Console UI. The vulnerability affects multiple versions of Zitadel including versions prior to 2.52.3, 2.53.9, 2.54.8, 2.55.5, 2.56.2, and versions 2.57.0 and 2.58.0 (Vendor Advisory).

The vulnerability stems from missing output sanitization in the system's email functionality and user interface. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. The vulnerability is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 4.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The NVD has assigned a higher CVSS score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow an attacker, without privileges, to send out altered notifications that are part of the registration processes. Additionally, on the user's detail page, unsanitized usernames could render HTML, presenting the same vulnerability. While HTML injection including JavaScript was possible, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI (Vendor Advisory).

The vulnerability has been patched in multiple versions: 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, 2.53.9, and 2.52.3. The fixes include sanitizing all arguments used for email with html.EscapeString, removing html.UnescapeString from email text, and eliminating [innerHtml] usage for username rendering in the Console. There are no workarounds available as patches have been released (Vendor Advisory).