{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-25T07:28:59.331","vulnerabilities":[{"cve":{"id":"CVE-2023-49097","sourceIdentifier":"security-advisories@github.com","published":"2023-11-30T05:15:09.503","lastModified":"2024-11-21T08:32:49.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"},{"lang":"es","value":"ZITADEL es un sistema de infraestructura de identidad. ZITADEL utiliza el encabezado de solicitudes de activación de notificaciones Forwarded o X-Forwarded-Host para crear el enlace del botón enviado en los correos electrónicos para confirmar un restablecimiento de contraseña con el código enviado por correo electrónico. Si este encabezado se sobrescribe y un usuario hace clic en el enlace a un sitio malicioso en el correo electrónico, el código secreto se puede recuperar y utilizar para restablecer la contraseña del usuario y hacerse cargo de su cuenta. Este ataque no puede apoderarse de las cuentas con MFA o sin contraseña habilitadas. Este problema se solucionó en las versiones 2.41.6, 2.40.10 y 2.39.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-640"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.39.0","versionEndExcluding":"2.39.9","matchCriteriaId":"B217DCB5-07BA-4BA3-97A2-91397DAA878D"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.40.0","versionEndExcluding":"2.40.10","matchCriteriaId":"75A6467A-C432-4810-A2D9-FBED9090ED67"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.41.0","versionEndExcluding":"2.41.6","matchCriteriaId":"A14C74C2-0A2A-4F71-86D6-7CFE7911D6EB"}]}]}],"references":[{"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w","source":"security-advisories@github.com","tags":["Exploit","Patch","Vendor Advisory"]},{"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Vendor Advisory"]}]}}]}