CVE-2025-47853
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into JetBrains TeamCity's Jira integration interface, which are then stored and executed when other users view the affected pages. It affects all TeamCity instances running versions before 2025.03.2 with Jira integration enabled.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to account compromise or data theft.
Likely Case
Attackers with access to Jira integration fields could inject scripts that execute in victims' browsers, potentially stealing session tokens or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires access to modify Jira integration fields, typically requiring some level of authenticated access. The XSS payload would execute in the context of other users viewing the affected content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.03.2 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance. 2. Download TeamCity 2025.03.2 or later from the JetBrains website. 3. Follow the TeamCity upgrade documentation for your specific deployment method. 4. Restart the TeamCity service after upgrade.
🔧 Temporary Workarounds
Disable Jira Integration
allTemporarily disable Jira integration to prevent exploitation while planning upgrade
Navigate to Administration > Integrations > Jira and disable the integration
Implement WAF Rules
allConfigure web application firewall to block common XSS payloads in Jira-related requests
Configure WAF rules to filter <script>, javascript:, and other XSS indicators in POST/PUT requests to TeamCity Jira endpoints
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Enable input validation and output encoding for all user-controlled fields in Jira integration
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Global Settings. If version is below 2025.03.2 and Jira integration is enabled, the system is vulnerable.Check Version:
Check TeamCity web interface at Administration > Global Settings, or check server logs for version informationVerify Fix Applied:
After upgrading, verify version is 2025.03.2 or higher in Administration > Global Settings. Test Jira integration functionality to ensure it works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual Jira integration configuration changes
- Suspicious script-like content in Jira-related fields
- Multiple failed login attempts followed by Jira configuration changes
Network Indicators:
- POST/PUT requests to TeamCity Jira endpoints containing script tags or javascript: URIs
- Unusual outbound connections from TeamCity to external domains
SIEM Query:
source="teamcity" AND ("jira" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))