CVE-2024-36366
Published: 29 May 2024
Summary
CVE-2024-36366 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jetbrains Teamcity. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-36366 is a cross-site scripting flaw (CWE-79) present in JetBrains TeamCity versions prior to 2022.04.7, 2022.10.6, 2023.05.6, and 2023.11.5. It can be triggered through specific report grouping and filtering operations and carries a CVSS 3.1 score of 5.4 reflecting network attack vector, low complexity, and the need for user interaction.
An unauthenticated attacker can supply crafted input that executes arbitrary script in a victim's browser session when the victim performs report operations, resulting in limited disclosure or modification of data accessible to that user.
The JetBrains advisory published at https://www.jetbrains.com/privacy-security/issues-fixed/ states that the issue is resolved by upgrading to one of the listed fixed releases.
The associated EPSS score sits at 0.4462 with no recorded rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36034
Vulnerability details
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.