Summary
| Detail | |||
|---|---|---|---|
| Vendor | Jetbrains | First view | 2019-07-03 |
| Product | Youtrack | Last view | 2025-01-21 |
| Version | 7.0.27676 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:jetbrains:youtrack | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 7.8 | 2025-01-21 | CVE-2025-24458 | In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration |
| 5.5 | 2025-01-21 | CVE-2025-24457 | In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs |
| 5.3 | 2024-12-04 | CVE-2024-54158 | In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding |
| 6.5 | 2024-12-04 | CVE-2024-54157 | In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector |
| 6.5 | 2024-12-04 | CVE-2024-54156 | In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack |
| 5.3 | 2024-12-04 | CVE-2024-54155 | In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication |
| 9.8 | 2024-12-04 | CVE-2024-54154 | In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox |
| 6.5 | 2024-12-04 | CVE-2024-54153 | In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter |
| 5.4 | 2024-10-28 | CVE-2024-50582 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements |
| 5.4 | 2024-10-28 | CVE-2024-50581 | In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag |
| 5.4 | 2024-10-28 | CVE-2024-50580 | In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule |
| 6.1 | 2024-10-28 | CVE-2024-50579 | In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible |
| 5.4 | 2024-10-28 | CVE-2024-50578 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page |
| 5.4 | 2024-10-28 | CVE-2024-50577 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings |
| 5.4 | 2024-10-28 | CVE-2024-50576 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest |
| 6.1 | 2024-10-28 | CVE-2024-50575 | In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API |
| 7.5 | 2024-10-28 | CVE-2024-50574 | In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality |
| 6.1 | 2024-10-17 | CVE-2024-49579 | In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests |
| 5.4 | 2024-10-10 | CVE-2024-48902 | In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API |
| 5.3 | 2024-09-19 | CVE-2024-47162 | In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page |
| 5.3 | 2024-09-19 | CVE-2024-47160 | In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible |
| 4.3 | 2024-09-19 | CVE-2024-47159 | In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project |
| 8.1 | 2024-06-18 | CVE-2024-38506 | In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows |
| 7.5 | 2024-06-18 | CVE-2024-38505 | In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site |
| 5.3 | 2024-06-18 | CVE-2024-38504 | In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 43% (23) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 9% (5) | CWE-276 | Incorrect Default Permissions |
| 5% (3) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 5% (3) | CWE-290 | Authentication Bypass by Spoofing |
| 3% (2) | CWE-522 | Insufficiently Protected Credentials |
| 3% (2) | CWE-306 | Missing Authentication for Critical Function |
| 3% (2) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 1% (1) | CWE-799 | Improper Control of Interaction Frequency |
| 1% (1) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 1% (1) | CWE-697 | Insufficient Comparison |
| 1% (1) | CWE-668 | Exposure of Resource to Wrong Sphere |
| 1% (1) | CWE-639 | Access Control Bypass Through User-Controlled Key |
| 1% (1) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| 1% (1) | CWE-532 | Information Leak Through Log Files |
| 1% (1) | CWE-338 | Use of Cryptographically Weak PRNG |
| 1% (1) | CWE-295 | Certificate Issues |
| 1% (1) | CWE-281 | Improper Preservation of Permissions |
| 1% (1) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
| 1% (1) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
| 1% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
