CVE-2024-49579: 
YouTrack vulnerability analysis and mitigation

A security vulnerability identified as CVE-2024-49579 was discovered in JetBrains YouTrack versions before 2024.3.47197. The vulnerability involves an insecure plugin iframe that allowed arbitrary JavaScript execution and unauthorized API requests (NVD Details, CVE Details). The vulnerability was disclosed on October 17, 2024.

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST and 8.1 (HIGH) by JetBrains. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is classified under CWE-940 (Improper Verification of Source of a Communication Channel) (NVD Details).

The vulnerability could allow attackers to execute arbitrary JavaScript code and make unauthorized API requests through the insecure plugin iframe. This could potentially lead to unauthorized access to sensitive information and compromise of system integrity (NVD Details).

Users are advised to upgrade to JetBrains YouTrack version 2024.3.47197 or later to address this vulnerability (JetBrains Advisory).