Jetbrains » Youtrack : Security Vulnerabilities, CVEs,

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.

In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.

In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.