Jetbrains : Security Vulnerabilities, CVEs, CVSS score >= 4

In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector

In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings

In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration

In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter

In JetBrains TeamCity before 2024.03 open redirect was possible on the login page

In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled

In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly

In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image

In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives

In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible

In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation

In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible

In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible