Fixed security issues

This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.

ProductDescriptionSeverityResolved InCWECVE
TeamCityImproper access control allowed viewing details of unauthorized agents (TW-85841)Medium2024.12CWE-863CVE-2024-56348
TeamCityImproper access control allowed unauthorized users to modify build logs (TW-90726)Medium2024.12CWE-862CVE-2024-56349
TeamCityBuild credentials allowed unauthorized viewing of projects (TW-24904)Medium2024.12CWE-863CVE-2024-56350
TeamCityAccess tokens were not revoked after removing user roles (TW-76910)Medium2024.12CWE-613CVE-2024-56351
TeamCityStored XSS was possible via image name on the agent details page (TW-89485)Medium2024.12CWE-79CVE-2024-56352
TeamCityBackup file exposed user credentials and session cookies. Reported by Thomas Siegbert (TW-89719)Medium2024.12CWE-212CVE-2024-56353
TeamCityPassword field value were accessible to users with view settings permission (TW-49870)Medium2024.12CWE-522CVE-2024-56354
TeamCityMissing Content-Type header in RemoteBuildLogController response could lead to XSS (TW-80940)Medium2024.12CWE-79CVE-2024-56355
TeamCityInsecure XMLParser configuration could lead to potential XXE attack (TW-86582)Medium2024.12CWE-611CVE-2024-56356
Product
TeamCity
Fix version
2024.12