JetBrains has disclosed that it discovered a cross-site scripting (XSS) vulnerability in v2019.1 and v2019.1.2.1 of its TeamCity CI/CD server back in July.
While the flaw was patched in v2019.1.2, the Czech-based firm is warning any customers still running the affected version to update. Like, right now.
The firm warned that the vulnerability could allow “cross-site scripting (XSS) on many pages, potentially making it possible to send an arbitrary HTTP request to the TeamCity server under the name of the currently logged-in user.”
“This security issue affected all TeamCity installations of versions 2019.1 and 2019.1.1, possibly allowing an unauthorized person to execute code remotely,” it continued.
As for who might have been affected, “We do not have any information to confirm whether your particular TeamCity installation was compromised or not.” Which might leave some users feeling anxious, to say the least.
TeamCity said it had resolved the issue as a regular XSS on July 18, 2019, and released a version of TeamCity with the fix on July 31, 2019. “We are also adding automated tests to check for these type of vulnerabilities whenever changes are deployed to the codebase,” the firm added.
The announcement comes just days after JetBrains shipped TeamCity 18.104.22.168, which boasted no less than 50 different fixes, three of which were related to undetailed security problems.