Comprehensive Analysis of CVE-2024-47950: JetBrains TeamCity Stored XSS Vulnerability

1. Threat Intelligence

CVE-2024-47950, a stored Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity’s Backup configuration settings, was disclosed on October 8, 2024. As of July 2025, no active exploitation in the wild has been publicly reported. However, detection capabilities for this vulnerability exist, including:

1. Juniper’s HTTP signature detection (HTTP:XSS:JTBRAIN-TM-CTY-BKP-HIS), which identifies attempts to exploit this flaw by stealing authentication credentials[2][18].
2. CISA KEV status: Not listed, indicating no immediate compliance mandates[1][18].

Impact of Delayed Exploitation:
The absence of public exploit code aligns with the medium severity CVSS score (5.4)[18], which reflects the need for user interaction (UI:R) and low privileges (PR:L). Attackers typically prioritize high-impact flaws, but XSS vulnerabilities remain a common vector for phishing, session hijacking, and chained attacks[1][13].

---

2. Technical Analysis

Root Cause

CVE-2024-47950 arises from improper input validation in TeamCity’s Backup configuration interface. Attackers can inject malicious scripts into fields used to configure backups. When administrators or users with access to this interface view the backup settings, the stored script executes in their browser context[1][9].

| Attack Vector | Details | Reference |
|—————————|—————————————————————————–|—————|
| Network Access | Remote exploitation via crafted requests to Backup configuration endpoints[2][14]. | [1][2][14] |
| User Interaction | Requires a legitimate user to access the compromised Backup settings[18][13]. | [18][13] |
| Privilege Escalation | Not directly possible, but scripts can steal cookies/sessions or redirect users[2][15]. | [2][15] |

Exploitation Steps:

1. Injection: Malicious script injected into Backup-related fields.
2. Storage: The script remains stored in the backup configuration.
3. Execution: When a privileged user accesses the configuration, the script executes[1][6].

—

3. Supply Chain and CI/CD Impact

Though not a direct supply chain vulnerability (e.g., compromised build artifacts), TeamCity’s role in CI/CD pipelines amplifies the risk:

1. Affected Workflows: Compromised build configurations or test environments could propagate stolen credentials or malicious commands across pipelines.
2. Detection Methods:

1. Audit Backup Configurations: Regularly inspect backup settings for unexpected script tags.
2. Log Analysis: Monitor access logs for Backup-related endpoints combined with injected payloads like alert(1) or redirect scripts[2][6].

Hardening Recommendations:

1. Restrict access to Backup configuration settings to privileged users.
2. Implement Content Security Policy (CSP) headers to block unauthorized scripts[15].
3. Use Web Application Firewalls (WAFs) to filter XSS attempts[15].

—

4. Vendor and Industry Response

Patch Timeline

1. Disclosed: October 8, 2024[1][16].
2. Patched: TeamCity 2024.07.3, released Oct 1, 2024[3][9].
3. Patch Notes:

1. Rollback-Friendly: Shares the same data format as 2024.07.x releases[3].
2. Additional Fixes: Addressed 20+ issues, including failed SSH connections and build cancellations[3][19].

Severity Discrepancy:

1. JetBrains: Rated as Low (CVSS 3.5)[13].
2. NIST: Rated Medium (CVSS 5.4)[18].

This divergence likely stems from differing risk assessments of user interaction and privilege requirements[13][18].

---

5. Detection and Monitoring

Indicator of Compromise (IOC) Examples

| Type | Example | Detection Method |
|————————-|————————————————–|——————————|
| HTTP Request | http://teamcity.example.com/Backup/?Config= | Network traffic analysis[2]. |
| User Agent | Mozilla/5.0 XSS-Tester | SIEM/SOAR rule matching[2]. |
| Cookie Theft | Unusual token usage in Backup configuration logs | Behavioral anomaly detection[15]. |

SIEM Queries:
“
SELECT * FROM http_logs
WHERE uri_path LIKE '%/Backup%' AND http_user_agent LIKE '%