CVE-2024-41656

Name of the Vulnerable Software and Affected Versions Sentry versions 10.0.0 through 24.7.0

Description The issue allows an unsanitized payload sent by an Integration platform integration to store arbitrary HTML tags on the Sentry side, which could be rendered on the Issues page. This creates a Stored Cross-Site Scripting (XSS) vulnerability, potentially leading to the execution of arbitrary scripts in the context of a user’s browser. Self-hosted Sentry users may be impacted if untrustworthy Integration platform integrations send external issues to their Sentry instance.

Recommendations For self-hosted users, upgrade Sentry to the latest version. If upgrading is not possible, enable CSP on the self-hosted installation with CSP REPORT ONLY = False (enforcing mode) to mitigate the risk of cross-site scripting. For Sentry SaaS customers, no action is needed as the issue has been patched.