JetBrains TeamCity 8 and 9 before 9.0.2 allows bypass of account-creation restrictions via a crafted request because the required request data can be deduced by reading HTML and JavaScript files that are returned to the web browser after an initial unauthenticated request.
[
{
"vendor": "JetBrains",
"product": "TeamCity",
"versions": [
{
"version": "8.0.1",
"status": "affected",
"lessThan": "9.0.2",
"versionType": "semver"
}
]
}
]