In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made.
In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings
In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made.
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
In JetBrains Space through 2020-04-22, the session timeout period was configured improperly.
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
In JetBrains YouTrack Mobile before 2021.2, iOS URL scheme hijacking is possible.
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.
In JetBrains Code With Me bundled to the compatible IDE versions before 2021.1, a client could open a browser on a host.
In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly.
In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL certificate validation for some external https connections. This was fixed in TeamCity 2019.1.
In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible.
In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.
In JetBrains TeamCity before 2020.2.1, permissions during user deletion were checked improperly.
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions.
An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.
Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2.
In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly.
In JetBrains PhpStorm before 2020.3, source code could be added to debug logs.
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file.
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.
Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.
A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user.
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server
A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.