CVE-2023-49097: ZITADEL vulnerable account takeover via malicious host header injection

8.1 CVSS

Description

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.

Classification

CVE ID: CVE-2023-49097

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

Affected Products

Vendor: zitadel

Product: zitadel

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.22% (probability of being exploited)

EPSS Percentile: 60.8% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w

Timeline

2024-11-28 00:11:40 UTC
CVE

ZITADEL vulnerable account takeover via malicious host header injection