CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
9.0%
github.com/zitadel/zitadel is vulnerable to Session Fixation. The vulnerability is due to the mishandling of a cookie with subdomains of the ZITADEL instance. While the cookie was initially handled following best practices, its accessibility on subdomains creates a potential security risk, allowing attackers to provide a malicious link hosted on a subdomain, tricking users into clicking and gaining unauthorized access to the victim’s account.