In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
7.2CVSS
7AI Score
0.001EPSS
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
5.3CVSS
5.4AI Score
0.001EPSS
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
7.5CVSS
7.5AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.
6.5CVSS
6.4AI Score
0.001EPSS
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
5.3CVSS
5.1AI Score
0.001EPSS
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
7.5CVSS
7.7AI Score
0.001EPSS
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
9.8CVSS
9.5AI Score
0.002EPSS
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
6.5CVSS
6.4AI Score
0.001EPSS
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
6.1CVSS
6.4AI Score
0.001EPSS
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
7.5CVSS
7.2AI Score
0.002EPSS
6.1CVSS
5.9AI Score
0.001EPSS
7.5CVSS
7.4AI Score
0.001EPSS
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
9.8CVSS
9.5AI Score
0.003EPSS
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
7.5CVSS
7.5AI Score
0.002EPSS
6.5CVSS
6.5AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
9.1CVSS
9.2AI Score
0.002EPSS
9.8CVSS
9.4AI Score
0.002EPSS
6.1CVSS
4.8AI Score
0.001EPSS
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
7.5CVSS
7.4AI Score
0.001EPSS
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
5.4CVSS
5.2AI Score
0.001EPSS
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
9.8CVSS
9.3AI Score
0.002EPSS
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
5.4CVSS
3.8AI Score
0.0004EPSS