CVE-2024-41656: Sentry vulnerable to stored Cross-Site Scripting (XSS)
(updated )
An unsanitized payload sent by an Integration platform integration allows the storage of arbitrary HTML tags on the Sentry side. This payload could subsequently be rendered on the Issues page, creating a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability might lead to the execution of arbitrary scripts in the context of a user’s browser.
Self-hosted Sentry users may be impacted if untrustworthy Integration platform integrations send external issues to their Sentry instance.
References
- github.com/advisories/GHSA-fm88-hc3v-3www
- github.com/getsentry/self-hosted/releases/tag/24.7.1
- github.com/getsentry/sentry
- github.com/getsentry/sentry/commit/5c679521f1539eabfb81287bfc30f34dbecd373e
- github.com/getsentry/sentry/pull/74648
- github.com/getsentry/sentry/security/advisories/GHSA-fm88-hc3v-3www
- nvd.nist.gov/vuln/detail/CVE-2024-41656
Code Behaviors & Features
Detect and mitigate CVE-2024-41656 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →