In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
JetBrains Upsource before 2019.1.1412 was not properly escaping HTML tags in a code block comments, leading to XSS.
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user.
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1.
A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.2.
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
In JetBrains TeamCity before 2020.2.3, XSS was possible.
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.
In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.
JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages.
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.
In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS.
JetBrains TeamCity before 2019.2.3 is vulnerable to reflected XSS in the administration UI.
JetBrains TeamCity before 2019.2.3 is vulnerable to stored XSS in the administration UI.
In JetBrains TeamCity before 2020.2.2, XSS was potentially possible on the test history page.
A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab
In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.