CVE-2024-50580
Published: 28 October 2024
Summary
CVE-2024-50580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jetbrains Youtrack. Its CVSS base score is 4.6 (Medium).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-50580 is a cross-site scripting vulnerability affecting JetBrains YouTrack versions prior to 2024.3.47707. It stems from insecure markdown parsing combined with custom rendering rules, allowing multiple XSS vectors as classified under CWE-79. The issue carries a CVSS 3.1 score of 4.6 reflecting network attack vector, low complexity, and low-privileged access with user interaction required.
An authenticated attacker with low privileges can supply crafted markdown content that triggers script execution in other users' browsers upon rendering. Successful exploitation yields limited confidentiality and integrity impacts, such as session token theft or unauthorized actions within the victim's YouTrack context, but does not affect availability.
The vendor advisory at the referenced JetBrains security page addresses the flaw through the release of version 2024.3.47707, which corrects the markdown handling and rendering logic. The associated EPSS score remains flat at 0.2382 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44961
Vulnerability details
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.