92 matches found
CVE-2019-12852
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
CVE-2019-12851
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
CVE-2019-12866
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
CVE-2024-47160
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
CVE-2024-47162
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
CVE-2024-47159
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
CVE-2019-15041
JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.
CVE-2022-28650
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2024-50575
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
CVE-2022-24344
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
CVE-2019-12867
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
CVE-2022-24347
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
CVE-2019-12850
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
CVE-2024-48902
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
CVE-2019-14953
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
CVE-2024-49579
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
CVE-2022-28648
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
CVE-2024-50578
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
CVE-2022-24343
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
CVE-2022-28649
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE-2024-50580
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50581
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
CVE-2021-25770
In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
CVE-2024-50582
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2020-15818
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
CVE-2020-27624
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
CVE-2024-50577
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
CVE-2020-15823
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2024-28229
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
CVE-2024-54157
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
CVE-2022-24442
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
CVE-2020-15821
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2021-37549
In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.
CVE-2021-37550
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
CVE-2020-15819
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
CVE-2025-24458
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
CVE-2021-37551
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
CVE-2024-28230
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
CVE-2020-15820
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2021-37554
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
CVE-2024-28228
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
CVE-2024-38506
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
CVE-2020-15817
In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.
CVE-2020-25210
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
CVE-2021-25765
In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
CVE-2024-54154
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
CVE-2021-37552
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
CVE-2021-37553
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
CVE-2020-7912
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.