Cross-site Scripting Vulnerability in Sentry Error Tracking Platform
CVE-2024-41656

7.1HIGH

Key Information:

Vendor

Getsentry

Status
Sentry
Vendor
CVE Published:
23 July 2024

What is CVE-2024-41656?

The Sentry error tracking platform is vulnerable due to an issue that allows the storage and rendering of arbitrary HTML tags on the Issues page, resulting from unsanitized payloads sent by integration platforms. This vulnerability is particularly concerning for self-hosted Sentry users that receive external issues from untrusted sources. A security patch was released in Sentry version 24.7.1 on July 23, which effectively resolves this issue. SaaS customers of Sentry remain unaffected and do not need to take action due to the strict Content Security Policy (CSP) implemented on the sentry.io site. For users of self-hosted Sentry, it is strongly advised to upgrade to the latest version. If immediate upgrading is not feasible, enabling CSP in enforcing mode is recommended to mitigate the risk of cross-site scripting attacks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

sentry >= 10.0.0, < 24.7.1

References

https://github.com/getsentry/sentry/security/advisories/G...
x_refsource_CONFIRM
https://github.com/getsentry/sentry/pull/74648
x_refsource_MISC
https://github.com/getsentry/sentry/commit/5c679521f1539e...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.