cbcvebase.
CVE-2024-49757
published 2024-10-25

CVE-2024-49757: The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in…

PriorityP431medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EXPLOIT
EPSS
2.57%
83.2th percentile
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

Affected

18 ranges
VendorProductVersion rangeFixed in
github.comzitadel_zitadel>= 0 < 2.58.72.58.7
github.comzitadel_zitadel>= 2.59.0 < 2.59.52.59.5
github.comzitadel_zitadel>= 2.60.0 < 2.60.42.60.4
github.comzitadel_zitadel>= 2.61.0 < 2.61.42.61.4
github.comzitadel_zitadel>= 2.62.0 < 2.62.72.62.7
github.comzitadel_zitadel>= 2.63.0 < 2.63.52.63.5
zitadelzitadel< 2.58.62.58.6
zitadelzitadel< 2.58.72.58.7
zitadelzitadel
zitadelzitadel
zitadelzitadel
zitadelzitadel
zitadelzitadel
zitadelzitadel>= 2.59.0 < 2.59.52.59.5
zitadelzitadel>= 2.60.0 < 2.60.42.60.4
zitadelzitadel>= 2.61.0 < 2.61.42.61.4
zitadelzitadel>= 2.62.0 < 2.62.72.62.7
zitadelzitadel>= 2.63.0 < 2.63.52.63.5
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.