CVE-2024-41656: Sentry vulnerable to stored Cross-Site Scripting (XSS)

July 23, 2024

An unsanitized payload sent by an Integration platform integration allows the storage of arbitrary HTML tags on the Sentry side. This payload could subsequently be rendered on the Issues page, creating a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability might lead to the execution of arbitrary scripts in the context of a user’s browser.

Self-hosted Sentry users may be impacted if untrustworthy Integration platform integrations send external issues to their Sentry instance.

References

github.com/advisories/GHSA-fm88-hc3v-3www
github.com/getsentry/self-hosted/releases/tag/24.7.1
github.com/getsentry/sentry
github.com/getsentry/sentry/pull/74648
github.com/getsentry/sentry/security/advisories/GHSA-fm88-hc3v-3www
nvd.nist.gov/vuln/detail/CVE-2024-41656

Code Behaviors & Features

Detect and mitigate CVE-2024-41656 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →