In JetBrains Space through 2020-04-22, the session timeout period was configured improperly.
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made.
In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made.
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
In JetBrains YouTrack Mobile before 2021.2, iOS URL scheme hijacking is possible.
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.
In JetBrains Code With Me bundled to the compatible IDE versions before 2021.1, a client could open a browser on a host.
In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly.
In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL certificate validation for some external https connections. This was fixed in TeamCity 2019.1.
In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible.
In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.
In JetBrains TeamCity before 2020.2.1, permissions during user deletion were checked improperly.
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions.
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.
Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2.
In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly.
In JetBrains PhpStorm before 2020.3, source code could be added to debug logs.
In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file.
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session.
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs.
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.
An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity.
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.
A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816.
The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.