Skip to main content

Teamcity CVE-2025-52875

| EUVDEUVD-2025-18914 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-06-23 cve@jetbrains.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.03.3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18914
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 15:15 nvd
MEDIUM 5.4

DescriptionCVE.org

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

Analysis

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2024-27198 CRITICAL POC
9.8 Mar 04

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti

CVE-2023-42793 CRITICAL POC
9.8 Sep 19

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti

CVE-2024-23917 CRITICAL POC
9.8 Feb 06

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS

CVE-2024-41827 CRITICAL
9.8 Jul 22

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s

CVE-2024-36470 CRITICAL
9.8 May 29

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e

CVE-2023-34218 CRITICAL
9.8 May 31

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c

CVE-2022-25263 CRITICAL
9.8 Feb 25

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated

CVE-2022-24340 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev

CVE-2022-24331 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9

CVE-2021-43202 CRITICAL
9.8 Nov 30

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS

CVE-2021-43200 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic

CVE-2021-43193 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica

Share

CVE-2025-52875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy