Jetbrains Security Vulnerabilities
In JetBrains YouTrack Mobile before 2021.2, access token protection on iOS is incomplete.
7.3CVSS
6.9AI Score
0.001EPSS
In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete.
7.3CVSS
7.1AI Score
0.001EPSS
5.3CVSS
5.3AI Score
0.001EPSS
JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.
5.3CVSS
5.3AI Score
0.001EPSS
5.3CVSS
5AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.
9.8CVSS
9.7AI Score
0.006EPSS
5.3CVSS
5.3AI Score
0.001EPSS
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
7.5CVSS
7.2AI Score
0.002EPSS
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
6.1CVSS
6.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.
9.8CVSS
9.4AI Score
0.002EPSS
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
9.8CVSS
9.4AI Score
0.002EPSS
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
7.5CVSS
7.7AI Score
0.001EPSS
JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remo...
9.8CVSS
9.4AI Score
0.002EPSS
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
7.5CVSS
7.5AI Score
0.002EPSS
6.5CVSS
6.5AI Score
0.001EPSS
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
5.3CVSS
5.4AI Score
0.001EPSS
In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible.
6.1CVSS
6.1AI Score
0.001EPSS
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
9.8CVSS
9.5AI Score
0.002EPSS
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
5.3CVSS
5.2AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.
5.3CVSS
5.3AI Score
0.001EPSS
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC.
8.1CVSS
7.9AI Score
0.002EPSS
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.
6.5CVSS
6.4AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
5.4CVSS
5.4AI Score
0.001EPSS
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
9.8CVSS
9.4AI Score
0.002EPSS
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
7.5CVSS
7.5AI Score
0.001EPSS
8.8CVSS
8.8AI Score
0.001EPSS
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
4.3CVSS
4.6AI Score
0.001EPSS
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
5.4CVSS
5.1AI Score
0.001EPSS
In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.
7.8CVSS
7.7AI Score
0.0004EPSS
In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.
7.8CVSS
7.7AI Score
0.0004EPSS
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
5.4CVSS
5.1AI Score
0.001EPSS
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
9.8CVSS
9.4AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.001EPSS
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
9.1CVSS
9.2AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.002EPSS
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
9.8CVSS
9.7AI Score
0.001EPSS
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
7.5CVSS
7.5AI Score
0.002EPSS
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
5.7CVSS
5.6AI Score
0.001EPSS
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
5.4CVSS
5.4AI Score
0.001EPSS
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
7.3CVSS
5.4AI Score
0.001EPSS
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields
8.4CVSS
5.5AI Score
0.0004EPSS
In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations
3.3CVSS
4.1AI Score
0.001EPSS