CVE-2024-2435

Name of the Vulnerable Software and Affected Versions Temporal UI Server (affected versions not specified)

Description The issue allows an attacker with pre-existing access to send a signal to a workflow to execute a script when a victim views the signal. This is achieved by making the signal name a script. The cross-site scripting (XSS) vulnerability is present in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal. Access to send a signal to a workflow is determined by the configuration of the authorizer on the server, including entities with permission to directly call certain APIs or deploy a worker with access to call workflow progress APIs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.