Primary

Context

OpenZiti Ziti-Console Unauthenticated File Upload Vulnerability Leading to Stored Cross-Site Scripting

Vulnerability

A stored cross-site scripting vulnerability has been identified in OpenZiti Ziti-Console versions through 3.7.1. The issue arises from an unprotected endpoint on the admin panel that allows file uploads via HTTP POST. Uploaded files are stored on the node and accessible through a URL. If a file containing malicious code is uploaded and subsequently accessed, it could be executed in the context of the user's browser. This endpoint has been disabled in version 3.7.1, as it is no longer needed with the application's transition to a single-page format.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded files containing malicious scripts are executed in the context of the user's browser.

Remediation

Users can upgrade to OpenZiti Ziti-Console version 3.7.1 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenZiti Ziti-Console Unauthenticated File Upload Vulnerability Leading to Stored Cross-Site Scripting

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating