28 matches found
CVE-2022-24327
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
CVE-2022-25262
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
CVE-2022-25259
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
CVE-2022-25260
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
CVE-2019-12847
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
CVE-2022-24328
In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.
CVE-2019-14955
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
CVE-2021-36209
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
CVE-2021-37540
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
CVE-2022-34894
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
CVE-2022-29811
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
CVE-2021-37541
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
CVE-2022-48429
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
CVE-2025-24456
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
CVE-2021-25760
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
CVE-2019-18360
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
CVE-2020-11691
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
CVE-2021-25757
In JetBrains Hub before 2020.1.12629, an open redirect was possible.
CVE-2021-43183
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
CVE-2021-25759
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.
CVE-2022-45471
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
CVE-2024-38507
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
CVE-2021-43182
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
CVE-2022-48477
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
CVE-2024-50573
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
CVE-2021-43180
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
CVE-2021-43181
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
CVE-2021-31901
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.