During an engagement, Ethan McKee-Harris, with the aide of Michael Tsai and Jack Moran discovered stored Cross-Site Scripting (XSS) within Zitadel. When exploited, the vulnerability would give a malicious user the ability to conduct a silent account takeover with a single click payload. This issue has been classified as an 8.7 high on the CVSS 3.1 scale and a CVE issued under the following number: CVE-2023-46238.
Throughout the disclosure process, Zitadel have been helpful and responsive. They quickly triaged and looked to remediate the discovered vulnerabilities.
What is Zitadel?
Zitadel is a unified identity infrastructure built as an open-source project that helps engineers focus their time on business features. Zitadel supports B2B, B2C and M2M settings while it provides crucial turnkey features like a hosted login, passwordless and multifactor authentication, authorization, single sign-on, OpenID Connect, SAML, extensibility with code (actions), APIs for everything and much more.
While testing a deployed Zitadel instance, it was discovered that SVG was a supported file type for user avatars. While Zitadel’s primary dashboard routes feature a fairly restrictive Content Security Policy (CSP) it was discovered that the route uploaded assets are served from contains no CSP. Further to this, assets are not served with a content disposition header. This header instructs clients to download the image rather then serving it from within the context of the web application domain.
The ability to send emails with almost arbitrary content to any email address using the Zitadel platform was also discovered. This functionality would be an ideal way to deliver the stored XSS link to unsuspecting victims using a trusted medium. Zitadel considers email injection to be a known N day vulnerability.
Proof of Concepts
Silent account takeover
This PoC could also be simplified to send the OAuth token to the malicious user rather then a passwordless sign up link.
The following payload could be added into the “Family Name” field to remove the trailing email content:
Any content in the first name and content in the family name fields before this HTML would become the only content in the email.
Complete account takeover.
How To Fix
Update to the latest version of Zitadel.
It has been patched in the following versions:
Vulnerability Disclosure Timeline
- 12/10/2023 - XSS disclosed to vendor
- 13/10/2023 - Vendor response
- 13/10/2023 - Further disclosed email injection
- 16/10/2023 - Vendor responds citing email injection is an ‘n day’ and requests PoC showing possible impact of XSS
- 19/10/2023 - Silent account takeover PoC sent
- 19/10/2023 - Vendor acknowledges PoC and states they will look into it
- 25/10/2023 - Vendor still assessing the impact of the issue and relevant mitigation
- 26/10/2023 - Vendor fixed, released advisory and issued CVE