CVE-2025-24459

CVE-2025-24459 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting JetBrains TeamCity versions prior to 2024.12.1. The flaw exists on the Vault Connection page, where untrusted input is reflected without proper sanitization, enabling script injection. It carries a CVSS v3.1 base score of 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N), indicating moderate severity with network accessibility but requiring low privileges and user interaction.

Exploitation requires an authenticated attacker with low privileges (PR:L) to craft a malicious link or payload targeting the Vault Connection page. A victim user must interact by clicking the link or performing an action that triggers the reflection (UI:R), allowing the attacker's script to execute in the victim's browser context over the network (AV:N) with low complexity (AC:L). This results in low impacts on confidentiality and integrity (C:L/I:L), such as potential access to limited sensitive data or minor modifications within the session, with no availability impact (A:N).

JetBrains has mitigated this vulnerability in TeamCity 2024.12.1, as documented in their issues fixed advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. Security practitioners should prioritize upgrading affected instances to this version or later to prevent exploitation.