CVE-2019-15041

JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.

CVE-2024-50575

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

CVE-2019-14953

JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.

CVE-2024-28229

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

CVE-2024-54157

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector

CVE-2020-15821

In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.

CVE-2024-28230

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

CVE-2019-14952

JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.

CVE-2021-31903

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.

CVE-2024-54156

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack

CVE-2024-54153

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

CVE-2019-16171

In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.

CVE-2020-7913

JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.

CVE-2020-24618

In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.