Fixed security issues

This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.

ProductDescriptionSeverityResolved InCWECVE
TeamCityAuthenticated users without administrative permissions could register other users when self-registration was disabled (TW-87046)Medium2024.03CWE-863CVE-2024-31134
TeamCityOpen redirect was possible on the login page (TW-87062)Medium2024.03CWE-601CVE-2024-31135
TeamCity2FA could be bypassed by providing a special URL parameter (TW-86989)High2024.03CWE-1288CVE-2024-31136
TeamCityReflected XSS was possible via Space connection configuration. Reported by Linh Dinh (TW-86832)Medium2024.03CWE-79CVE-2024-31137
TeamCityXSS was possible via Agent Distribution settings. Reported by Alex Williams from Trend Micro (TW-86535)Medium2024.03CWE-79CVE-2024-31138
TeamCityXXE was possible in the Maven build steps detector (TW-86300)Medium2024.03CWE-611CVE-2024-31139
TeamCityServer administrators could remove arbitrary files from the server by installing tools (TW-86039)Medium2024.03CWE-1288CVE-2024-31140
Product
TeamCity
Fix version
2024.03