JetBrains TeamCity AgentDistributionSettingsController Cross-Site Scripting Vulnerability

2024-04-0100:00:00

Alex Williams of Trend Micro Security Research

www.zerodayinitiative.com

remote attackers

arbitrary script execution

user interaction

malicious page

malicious file

os parameter

agentdistributionsettingscontroller

lack of validation

user-supplied data

injection vulnerability

current user context

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.1%

JSON

This vulnerability allows remote attackers to execute arbitrary script on affected installations of JetBrains TeamCity. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the os parameter provided to the AgentDistributionSettingsController.doPost method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user.

References

www.jetbrains.com/privacy-security/issues-fixed/