CVE-2024-36366 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-36366?

CVE-2024-36366 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into web pages viewed by other users. It affects TeamCity instances with report grouping and filtering functionality enabled. Users who access compromised reports could have their sessions hijacked or sensitive data stolen.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into web pages viewed by other users. It affects TeamCity instances with report grouping and filtering functionality enabled. Users who access compromised reports could have their sessions hijacked or sensitive data stolen.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: Before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5

Operating Systems: All platforms running TeamCity

Default Config Vulnerable: ⚠️ Yes

Notes: Requires report grouping and filtering functionality to be used, which is commonly enabled in TeamCity deployments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, perform actions as authenticated users, or deploy malware to client browsers.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though some data leakage may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have access to create or modify reports, or trick users into accessing maliciously crafted reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup TeamCity configuration and data. 2. Download the patched version from JetBrains website. 3. Stop TeamCity server. 4. Install the update following JetBrains upgrade guide. 5. Restart TeamCity server. 6. Verify functionality.

🔧 Temporary Workarounds

Disable Report Grouping/Filtering

all

Temporarily disable report grouping and filtering functionality to prevent exploitation.

Modify TeamCity configuration to restrict report creation/modification permissions

Implement Content Security Policy

all

Add strict CSP headers to mitigate XSS impact.

Add 'Content-Security-Policy' header with script-src 'self' directive

🧯 If You Can't Patch

Restrict user permissions for report creation and modification to trusted administrators only.
Implement web application firewall (WAF) rules to detect and block XSS payloads in report parameters.

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Server Health → Version.

Check Version:

Check TeamCity web interface or server logs for version information.

Verify Fix Applied:

Verify version is 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 or later, and test report grouping/filtering functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual report creation/modification patterns
Suspicious characters in report parameters (script tags, javascript: URIs)

Network Indicators:

HTTP requests with suspicious parameters in report-related endpoints

SIEM Query:

source="teamcity" AND (uri_path="/app/rest/reports" OR uri_path="/app/rest/builds") AND (param="script" OR param="javascript" OR param="onerror")

📊 Metadata

CVE ID: CVE-2024-36366

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: May 29, 2024

Last Updated: December 16, 2024

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory
https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36366, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Teamcity by Jetbrains

Teamcity by Jetbrains

Teamcity by Jetbrains

Teamcity by Jetbrains

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Report Grouping/Filtering

Implement Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities