### Impact
**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role `ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login.
**Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically.
Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organisations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability.
### Patches
2.x versions are fixed on >= [2.2.0](https://github.com/zitadel/zitadel/releases/tag/v2.2.0)
1.x versions are fixed on >= [1.87.1](https://github.com/zitadel/zitadel/releases/tag/v1.87.1)
ZITADEL recommends upgrading to the latest versions available in due course.
### Workarounds
There is no workaround since a patch is already available.
### Who did disclose this
During our recurring white box penetration test our external security consultant found this issue.
The full report will be made public after the complete review.
### References
https://docs.zitadel.com/docs/guides/manage/customize/behavior
https://docs.zitadel.com/docs/apis/actions
https://zitadel.com/blog/pentest-results-h1-2021
### Questions
If you have any questions or comments about this advisory:
* Email us at [security@zitadel.com](mailto:security@zitadel.com)Read More