Login Sign Up

CVE-2024-41656

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Sentry's self-hosted versions where unsanitized HTML payloads from Integration platform integrations can be stored and rendered on the Issues page. Self-hosted Sentry users with untrustworthy integrations are affected, while Sentry SaaS customers are protected by Content Security Policy. The vulnerability allows attackers to execute arbitrary JavaScript in the context of Sentry users.

💻 Affected Systems

Products:
  • Sentry self-hosted
Versions: 10.0.0 to 24.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects self-hosted installations. Sentry SaaS customers are protected by CSP. Requires untrustworthy Integration platform integrations sending external issues.

📦 What is this software?

Sentry by Sentry

View all CVEs affecting Sentry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through stored XSS.

🟠

Likely Case

Malicious integrations could inject JavaScript that steals user session tokens or performs unauthorized actions within Sentry.

🟢

If Mitigated

With proper CSP enforcement, script execution is blocked, limiting impact to HTML injection without code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires control over Integration platform integrations sending payloads to Sentry. The vulnerability is in payload processing, not authentication bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.7.1

Vendor Advisory: https://github.com/getsentry/sentry/security/advisories/GHSA-fm88-hc3v-3www

Restart Required: Yes

Instructions:

1. Backup your Sentry installation and database. 2. Update to Sentry 24.7.1 using your deployment method (Docker, Kubernetes, etc.). 3. Restart Sentry services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Enable Content Security Policy

all

Enable CSP in enforcing mode to block script execution from injected HTML

Set CSP_REPORT_ONLY = False in Sentry configuration

🧯 If You Can't Patch

  • Enable and enforce Content Security Policy with CSP_REPORT_ONLY = False
  • Audit and restrict Integration platform integrations to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Sentry version: if between 10.0.0 and 24.7.0, you are vulnerable

Check Version:

sentry --version or check Docker image tag

Verify Fix Applied:

Verify Sentry version is 24.7.1 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML payloads in integration webhook logs
  • CSP violation reports if CSP_REPORT_ONLY is enabled

Network Indicators:

  • Suspicious HTML/JavaScript in integration payloads to Sentry

SIEM Query:

source="sentry" AND ("integration" OR "webhook") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-41656
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: July 23, 2024
Last Updated: September 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41656, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)