Cyber Resilience

CVE-2024-50580

Medium

Published: 28 October 2024

Published
28 October 2024
Modified
29 October 2024
KEV Added
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.2382 96.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jetbrains Youtrack. Its CVSS base score is 4.6 (Medium).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-50580 is a cross-site scripting vulnerability affecting JetBrains YouTrack versions prior to 2024.3.47707. It stems from insecure markdown parsing combined with custom rendering rules, allowing multiple XSS vectors as classified under CWE-79. The issue carries a CVSS 3.1 score of 4.6 reflecting network attack vector, low complexity, and low-privileged access with user interaction required.

An authenticated attacker with low privileges can supply crafted markdown content that triggers script execution in other users' browsers upon rendering. Successful exploitation yields limited confidentiality and integrity impacts, such as session token theft or unauthorized actions within the victim's YouTrack context, but does not affect availability.

The vendor advisory at the referenced JetBrains security page addresses the flaw through the release of version 2024.3.47707, which corrects the markdown handling and rendering logic. The associated EPSS score remains flat at 0.2382 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jetbrains
youtrack
≤ 2024.3.47707

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References