{"id":"CVE-2024-29891","summary":"ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass","details":"ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.","aliases":["GHSA-hr5w-cwwq-2v4m","GO-2024-2665"],"modified":"2026-04-10T05:11:57.686967Z","published":"2024-03-27T19:18:08.078Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29891.json","cwe_ids":["CWE-434"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.42.17"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.43.11"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.44.7"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.45.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.46.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.47.8"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.48.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29891.json"},{"type":"ADVISORY","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29891"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"0"},{"fixed":"762b19da06b24cae4a1a5ec73d4e3a919e4454a2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.42.17"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"5cbf34334ffcaadb633f913e2b546d53b9a907fb"},{"fixed":"f183ba63381a243428e7f56d6cd0f826b2d61f3b"}],"database_specific":{"versions":[{"introduced":"2.43.0"},{"fixed":"2.43.11"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"d3bb9c9b3b6091a58d4d831b0a494bd8518c3810"},{"fixed":"7682d4b5edd5c775ab47d5aa73e5876093719378"}],"database_specific":{"versions":[{"introduced":"2.44.0"},{"fixed":"2.44.7"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"24868240f038e604bbb20cd70c20026dd2e17a69"},{"fixed":"17585d0dc7ba1fd1f69f5ffa452fd62464ed9acc"}],"database_specific":{"versions":[{"introduced":"2.45.0"},{"fixed":"2.45.5"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"d87341ec91f4cd2ec78a98050a53918afa83c09a"},{"fixed":"7e8880e5de402901165ec1b5f7941e113e25d10a"}],"database_specific":{"versions":[{"introduced":"2.46.0"},{"fixed":"2.46.5"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"704197c2827d3760ac01a72d47ec1317865b9d1c"},{"fixed":"4465e55b3873f7cf11df37a9022746ea74842a75"}],"database_specific":{"versions":[{"introduced":"2.47.0"},{"fixed":"2.47.8"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"c1e448d6c1f0035fa3e56fa36f1780f75a18c6d6"},{"fixed":"4c2c9c22c460764c683f4cf4741bb37bee137b76"}],"database_specific":{"versions":[{"introduced":"2.48.0"},{"fixed":"2.48.3"}]}}],"versions":["2.20.0","cnsl-feature-dev","feat-new-mail-templates-dev","v0.0.0","v0.1.0","v0.10.0","v0.11.0","v0.119.0","v0.119.1","v0.119.2","v0.119.3","v0.119.4","v0.119.5","v0.119.6","v0.12.0","v0.120.0","v0.120.1","v0.121.0","v0.121.1","v0.121.2","v0.122.0","v0.122.1","v0.122.2","v0.122.3","v0.122.4","v0.122.5","v0.123.0","v0.123.1","v0.123.2","v0.123.3","v0.123.4","v0.123.5","v0.124.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.17.1","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.20.2","v0.21.0","v0.22.0","v0.22.1","v0.22.2","v0.22.3","v0.22.4","v0.22.5","v0.22.6","v0.22.7","v0.23.0","v0.23.1","v0.24.0","v0.24.1","v0.24.2","v0.24.3","v0.25.0","v0.25.1","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.29.1","v0.3.0","v0.3.1","v0.30.0","v0.30.1","v0.31.0","v0.31.1","v0.31.2","v0.31.3","v0.32.0","v0.32.1","v0.32.2","v0.33.0","v0.33.1","v0.33.2","v0.33.3","v0.33.4","v0.33.5","v0.34.0","v0.35.0","v0.35.1","v0.35.2","v0.36.0","v0.37.0","v0.38.0","v0.39.0","v0.39.1","v0.4.0","v0.4.1","v0.40.0","v0.40.1","v0.40.2","v0.40.3","v0.40.4","v0.41.0","v0.41.1","v0.42.0","v0.42.1","v0.42.2","v0.42.3","v0.42.4","v0.43.0","v0.43.1","v0.43.2","v0.44.0","v0.44.1","v0.44.2","v0.44.3","v0.45.0","v0.46.0","v0.46.1","v0.47.0","v0.47.1","v0.47.2","v0.47.3","v0.47.4","v0.47.5","v0.48.0","v0.49.0","v0.49.1","v0.5.0","v0.50.0","v0.51.0","v0.51.1","v0.52.0","v0.53.0","v0.53.1","v0.53.2","v0.53.3","v0.53.4","v0.53.5","v0.54.0","v0.54.1","v0.54.2","v0.54.3","v0.54.4","v0.54.5","v0.55.0","v0.55.1","v0.55.10","v0.55.11","v0.55.12","v0.55.13","v0.55.2","v0.55.3","v0.55.4","v0.55.5","v0.55.6","v0.55.7","v0.55.8","v0.55.9","v0.56.0","v0.56.1","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.59.0","v0.59.1","v0.6.0","v0.60.0","v0.60.1","v0.61.0","v0.61.1","v0.61.2","v0.61.3","v0.61.4","v0.62.0","v0.63.0","v0.63.1","v0.64.0","v0.64.1","v0.64.2","v0.64.3","v0.64.4","v0.64.5","v0.64.6","v0.64.7","v0.65.0","v0.66.0","v0.66.1","v0.67.0","v0.67.1","v0.67.2","v0.68.0","v0.69.0","v0.69.1","v0.7.0","v0.70.0","v0.70.1","v0.71.0","v0.72.0","v0.73.0","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.74.4","v0.75.0","v0.75.1","v0.75.2","v0.75.3","v0.75.4","v0.75.5","v0.76.0","v0.76.1","v0.76.2","v0.76.3","v0.77.0","v0.77.1","v0.77.2","v0.77.3","v0.77.4","v0.77.5","v0.78.0","v0.78.1","v0.78.2","v0.79.0","v0.8.0","v0.80.0","v0.80.1","v0.80.2","v0.81.0","v0.81.1","v0.81.2","v0.81.3","v0.81.4","v0.81.5","v0.81.6","v0.82.0","v0.82.1","v0.82.2","v0.82.3","v0.82.4","v0.83.0","v0.83.1","v0.83.2","v0.83.3","v0.83.4","v0.83.5","v0.83.6","v0.84.0","v0.84.1","v0.84.2","v0.84.3","v0.84.4","v0.85.0","v0.85.1","v0.85.2","v0.85.3","v0.85.4","v0.86.0","v0.86.1","v0.86.2","v0.87.0","v0.87.1","v0.88.0","v0.88.1","v0.88.2","v0.88.3","v0.9.0","v1-events-queries-dev","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.11.0","v1.11.1","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.13.0","v1.14.0","v1.14.1","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.16.5","v1.16.6","v1.16.7","v1.16.8","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.18.0","v1.18.1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.4","v1.20.5","v1.21.0","v1.21.1","v1.21.2","v1.21.3","v1.21.4","v1.22.0","v1.22.1","v1.22.10","v1.22.11","v1.22.12","v1.22.13","v1.22.2","v1.22.3","v1.22.4","v1.22.5","v1.22.6","v1.22.7","v1.22.8","v1.22.9","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.25.1","v1.26.0","v1.26.1","v1.27.0","v1.27.1","v1.27.2","v1.27.3","v1.27.4","v1.28.0","v1.28.1","v1.28.2","v1.28.3","v1.28.4","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.29.4","v1.29.5","v1.29.6","v1.3.0","v1.30.0","v1.30.1","v1.30.2","v1.31.0","v1.31.1","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.32.4","v1.32.5","v1.33.0","v1.33.1","v1.34.0","v1.34.1","v1.34.10","v1.34.11","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.34.6","v1.34.7","v1.34.8","v1.34.9","v1.35.0","v1.35.1","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.39.1","v1.4.0","v1.40.0","v1.41.0","v1.41.1","v1.41.2","v1.41.3","v1.41.4","v1.42.0","v1.42.1","v1.42.2","v1.43.0","v1.43.1","v1.43.2","v1.43.3","v1.43.4","v1.44.0","v1.44.1","v1.44.2","v1.44.3","v1.45.0","v1.45.1","v1.45.2","v1.45.3","v1.45.4","v1.45.5","v1.45.6","v1.46.0","v1.46.1","v1.46.2","v1.46.3","v1.46.4","v1.47.0","v1.47.1","v1.47.2","v1.47.3","v1.47.4","v1.47.5","v1.47.6","v1.48.0","v1.48.1","v1.48.2","v1.48.3","v1.48.4","v1.48.5","v1.48.6","v1.48.7","v1.48.8","v1.49.0","v1.49.1","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.50.0","v1.50.1","v1.50.2","v1.50.3","v1.50.4","v1.51.0","v1.52.0","v1.52.1","v1.52.2","v1.53.0","v1.53.1","v1.53.2","v1.54.0","v1.54.1","v1.54.10","v1.54.2","v1.54.3","v1.54.4","v1.54.5","v1.54.6","v1.54.7","v1.54.8","v1.54.9","v1.55.0","v1.55.1","v1.55.2","v1.56.0","v1.56.1","v1.56.10","v1.56.11","v1.56.12","v1.56.13","v1.56.14","v1.56.15","v1.56.16","v1.56.17","v1.56.18","v1.56.19","v1.56.2","v1.56.20","v1.56.21","v1.56.22","v1.56.3","v1.56.4","v1.56.5","v1.56.6","v1.56.7","v1.56.8","v1.56.9","v1.57.0","v1.57.1","v1.58.0","v1.59.0","v1.59.1","v1.59.2","v1.59.3","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.60.0","v1.60.1","v1.60.2","v1.60.3","v1.61.0","v1.62.0","v1.62.1","v1.62.2","v1.63.0","v1.64.0","v1.65.0","v1.66.0","v1.66.1","v1.66.2","v1.66.3","v1.66.4","v1.66.5","v1.66.6","v1.66.7","v1.66.8","v1.66.9","v1.67.0","v1.67.1","v1.68.0","v1.68.1","v1.69.0","v1.69.1","v1.69.2","v1.69.3","v1.69.4","v1.69.5","v1.69.6","v1.69.7","v1.69.8","v1.7.0","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.70.0","v1.70.1","v1.70.2","v1.71.0","v1.71.1","v1.71.2","v1.72.0","v1.72.1","v1.73.0","v1.73.1","v1.73.2","v1.73.3","v1.73.4","v1.74.0","v1.75.0","v1.75.1","v1.75.2","v1.75.3","v1.75.4","v1.75.5","v1.75.6","v1.75.7","v1.75.8","v1.76.0","v1.76.1","v1.76.2","v1.77.0","v1.77.1","v1.77.2","v1.78.0","v1.79.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.80.0-v2.1","v1.80.0-v2.10","v1.80.0-v2.11","v1.80.0-v2.12","v1.80.0-v2.13","v1.80.0-v2.14","v1.80.0-v2.15","v1.80.0-v2.16","v1.80.0-v2.17","v1.80.0-v2.18","v1.80.0-v2.19","v1.80.0-v2.2","v1.80.0-v2.20","v1.80.0-v2.3","v1.80.0-v2.4","v1.80.0-v2.5","v1.80.0-v2.6","v1.80.0-v2.7","v1.80.0-v2.8","v1.80.0-v2.9","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.0.0-v2-alpha.1","v2.0.0-v2-alpha.10","v2.0.0-v2-alpha.11","v2.0.0-v2-alpha.12","v2.0.0-v2-alpha.13","v2.0.0-v2-alpha.14","v2.0.0-v2-alpha.15","v2.0.0-v2-alpha.16","v2.0.0-v2-alpha.17","v2.0.0-v2-alpha.18","v2.0.0-v2-alpha.19","v2.0.0-v2-alpha.2","v2.0.0-v2-alpha.20","v2.0.0-v2-alpha.21","v2.0.0-v2-alpha.22","v2.0.0-v2-alpha.23","v2.0.0-v2-alpha.24","v2.0.0-v2-alpha.25","v2.0.0-v2-alpha.26","v2.0.0-v2-alpha.27","v2.0.0-v2-alpha.28","v2.0.0-v2-alpha.29","v2.0.0-v2-alpha.3","v2.0.0-v2-alpha.30","v2.0.0-v2-alpha.31","v2.0.0-v2-alpha.32","v2.0.0-v2-alpha.33","v2.0.0-v2-alpha.34","v2.0.0-v2-alpha.35","v2.0.0-v2-alpha.36","v2.0.0-v2-alpha.37","v2.0.0-v2-alpha.38","v2.0.0-v2-alpha.39","v2.0.0-v2-alpha.4","v2.0.0-v2-alpha.40","v2.0.0-v2-alpha.41","v2.0.0-v2-alpha.42","v2.0.0-v2-alpha.43","v2.0.0-v2-alpha.44","v2.0.0-v2-alpha.5","v2.0.0-v2-alpha.6","v2.0.0-v2-alpha.7","v2.0.0-v2-alpha.8","v2.0.0-v2-alpha.9","v2.0.1","v2.1.0","v2.1.1","v2.10.0","v2.11.0","v2.11.1","v2.12.0","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.15.0","v2.16.0","v2.16.1","v2.17.0","v2.17.1","v2.18.0","v2.19.0","v2.2.0","v2.20.0","v2.21.0","v2.22.0","v2.22.1","v2.22.2","v2.23.0","v2.23.1","v2.24.0","v2.25.0","v2.25.1","v2.25.2","v2.25.3","v2.26.0","v2.26.1","v2.26.2","v2.27.0","v2.27.1","v2.28.0","v2.28.1","v2.29.0","v2.29.1","v2.29.2","v2.29.3","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.30.0","v2.31.0","v2.31.1","v2.31.2","v2.31.3","v2.31.4","v2.31.5","v2.32.0","v2.33.0","v2.33.1","v2.34.0","v2.34.1","v2.35.0","v2.35.1","v2.36.0","v2.36.1","v2.36.2","v2.36.3","v2.37.0","v2.37.1","v2.37.2","v2.37.3","v2.38.0","v2.38.1","v2.39.0","v2.39.1","v2.39.2","v2.39.3","v2.4.0","v2.40.0","v2.40.1","v2.40.2","v2.40.3","v2.40.4","v2.40.5","v2.41.0","v2.41.1","v2.41.2","v2.41.3","v2.41.4","v2.41.5","v2.42.0","v2.42.1","v2.42.10","v2.42.11","v2.42.12","v2.42.13","v2.42.14","v2.42.15","v2.42.16","v2.42.2","v2.42.3","v2.42.4","v2.42.5","v2.42.6","v2.42.7","v2.42.8","v2.42.9","v2.43.0","v2.43.1","v2.43.10","v2.43.2","v2.43.3","v2.43.4","v2.43.5","v2.43.6","v2.43.7","v2.43.8","v2.43.9","v2.44.0","v2.44.1","v2.44.2","v2.44.3","v2.44.4","v2.44.5","v2.44.6","v2.45.0","v2.45.1","v2.45.2","v2.45.3","v2.45.4","v2.46.0","v2.46.1","v2.46.2","v2.46.3","v2.46.4","v2.47.0","v2.47.1","v2.47.2","v2.47.3","v2.47.4","v2.47.5","v2.47.6","v2.47.7","v2.48.0","v2.48.1","v2.48.2","v2.5.0","v2.5.1","v2.6.0","v2.7.0","v2.8.0","v2.8.1","v2.8.2","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29891.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}