Youtrack Security Vulnerabilities and Issues — Youtrack CVE List

Lucene search

JetbrainsYoutrack

28 matches found

CVE•added 2024/09/19 6:15 p.m.•107 views

CVE-2024-47160

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible

5.3CVSS7.1AI score0.00002EPSS

CVE•added 2024/09/19 6:15 p.m.•106 views

CVE-2024-47162

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page

5.3CVSS7.2AI score0.00002EPSS

CVE•added 2024/09/19 6:15 p.m.•105 views

CVE-2024-47159

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project

4.3CVSS7.1AI score0.00003EPSS

CVE•added 2024/10/28 1:15 p.m.•86 views

CVE-2024-50575

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

6.1CVSS6.1AI score0.21262EPSS

CVE•added 2024/10/10 11:15 a.m.•75 views

CVE-2024-48902

In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API

5.4CVSS7.1AI score0.00005EPSS

CVE•added 2024/10/17 1:15 p.m.•72 views

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests

8.1CVSS7.1AI score0.00078EPSS

CVE•added 2024/10/28 1:15 p.m.•64 views

CVE-2024-50578

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page

5.4CVSS6AI score0.21262EPSS

CVE•added 2024/10/28 1:15 p.m.•62 views

CVE-2024-50580

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

5.4CVSS6.2AI score0.21262EPSS

CVE•added 2024/10/28 1:15 p.m.•60 views

CVE-2024-50581

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag

5.4CVSS6AI score0.21262EPSS

CVE•added 2024/10/28 1:15 p.m.•59 views

CVE-2024-50576

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest

5.4CVSS5.9AI score0.21262EPSS

CVE•added 2024/10/28 1:15 p.m.•59 views

CVE-2024-50582

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

5.4CVSS5.8AI score0.21262EPSS

CVE•added 2024/10/28 1:15 p.m.•58 views

CVE-2024-50577

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings

5.4CVSS6.2AI score0.16206EPSS

CVE•added 2024/03/07 12:15 p.m.•56 views

CVE-2024-28229

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

6.5CVSS6.5AI score0.00005EPSS

CVE•added 2024/12/04 12:15 p.m.•56 views

CVE-2024-54157

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector

6.5CVSS6.9AI score0.00004EPSS

CVE•added 2024/03/07 12:15 p.m.•52 views

CVE-2024-28230

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

6.5CVSS6.4AI score0.00005EPSS

CVE•added 2024/03/07 12:15 p.m.•49 views

CVE-2024-28228

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

5.3CVSS5.4AI score0.00009EPSS

CVE•added 2024/06/18 11:15 a.m.•49 views

CVE-2024-38506

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows

8.1CVSS6.4AI score0.00013EPSS

CVE•added 2024/12/04 12:15 p.m.•47 views

CVE-2024-54154

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox

9.8CVSS7.1AI score0.00169EPSS

CVE•added 2024/10/28 1:15 p.m.•44 views

CVE-2024-50574

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality

7.5CVSS7AI score0.00009EPSS

CVE•added 2024/12/04 12:15 p.m.•44 views

CVE-2024-54158

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding

5.3CVSS7AI score0.00003EPSS

CVE•added 2024/06/18 11:15 a.m.•41 views

CVE-2024-38505

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site

7.5CVSS5.3AI score0.00006EPSS

CVE•added 2024/12/04 12:15 p.m.•41 views

CVE-2024-54155

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication

5.3CVSS7.2AI score0.00002EPSS

CVE•added 2024/12/04 12:15 p.m.•41 views

CVE-2024-54156

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack

6.5CVSS7AI score0.00009EPSS

CVE•added 2024/06/18 11:15 a.m.•40 views

CVE-2024-38504

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles

5.3CVSS4.8AI score0.00009EPSS

CVE•added 2024/12/04 12:15 p.m.•39 views

CVE-2024-54153

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter

6.5CVSS7.1AI score0.00002EPSS

CVE•added 2024/10/28 1:15 p.m.•37 views

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

6.1CVSS6.1AI score0.21262EPSS

CVE•added 2024/01/09 10:15 a.m.•36 views

CVE-2024-22370

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible

5.4CVSS5.2AI score0.21167EPSS

CVE•added 2024/05/16 11:15 a.m.•36 views

CVE-2024-35299

In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation

7.5CVSS6.9AI score0.00005EPSS