JetBrains Hub

In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing

CVE-2022-48477 9.8 - Critical - April 24, 2023

In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing

XSPA

In JetBrains Hub before 2022.3.15573

CVE-2022-48429 5.4 - Medium - March 27, 2023

In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible

XSS

In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address

CVE-2022-45471 7.5 - High - November 18, 2022

In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address

Allocation of Resources Without Limits or Throttling

In JetBrains Hub before 2022.2.14799, insufficient access control

CVE-2022-34894 5.3 - Medium - July 01, 2022

In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services

In JetBrains Hub before 2022.1.14638 stored XSS

CVE-2022-29811 4.8 - Medium - April 28, 2022

In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.

XSS

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).

CVE-2022-25260 9.1 - Critical - February 25, 2022

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).

XSPA

In JetBrains Hub before 2022.1.14434

CVE-2022-25262 9.8 - Critical - February 25, 2022

In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.

Insufficient Verification of Data Authenticity

JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.

CVE-2022-25259 6.1 - Medium - February 25, 2022

JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.

XSS

In JetBrains Hub before 2021.1.13890

CVE-2022-24327 7.5 - High - February 25, 2022

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.

Incorrect Permission Assignment for Critical Resource

In JetBrains Hub before 2021.1.13956

CVE-2022-24328 6.5 - Medium - February 25, 2022

In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.

In JetBrains Hub before 2021.1.13690

CVE-2021-43181 6.1 - Medium - November 09, 2021

In JetBrains Hub before 2021.1.13690, stored XSS is possible.

XSS

In JetBrains Hub before 2021.1.13690, information disclosure

CVE-2021-43180 7.5 - High - November 09, 2021

In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.

In JetBrains Hub before 2021.1.13415, a DoS

CVE-2021-43182 7.5 - High - November 09, 2021

In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.

In JetBrains Hub before 2021.1.13690

CVE-2021-43183 9.8 - Critical - November 09, 2021

In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.

In JetBrains Hub before 2021.1.13389

CVE-2021-36209 9.8 - Critical - August 06, 2021

In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.

Weak Password Recovery Mechanism for Forgotten Password

In JetBrains Hub before 2021.1.13262

CVE-2021-37540 6.5 - Medium - August 06, 2021

In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.

In JetBrains Hub before 2021.1.13402

CVE-2021-37541 6.1 - Medium - August 06, 2021

In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.

Injection

In JetBrains Hub before 2021.1.13079

CVE-2021-31901 7.5 - High - May 11, 2021

In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.

In JetBrains Hub before 2020.1.12669, information disclosure

CVE-2021-25760 5.3 - Medium - February 03, 2021

In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.

Information Disclosure

In JetBrains Hub before 2020.1.12629, an authenticated user

CVE-2021-25759 6.5 - Medium - February 03, 2021

In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.

In JetBrains Hub before 2020.1.12629

CVE-2021-25757 6.1 - Medium - February 03, 2021

In JetBrains Hub before 2020.1.12629, an open redirect was possible.

Open Redirect

In JetBrains Hub before 2020.1.12099

CVE-2020-11691 7.5 - High - April 22, 2020

In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.

Improper Input Validation

In JetBrains Hub versions earlier than 2019.1.11738

CVE-2019-18360 5.3 - Medium - October 31, 2019

In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.

Information Disclosure

In JetBrains Hub versions earlier than 2018.4.11436

CVE-2019-14955 5.3 - Medium - October 01, 2019

In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.

Weak Password Recovery Mechanism for Forgotten Password

In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user

CVE-2019-12847 7.2 - High - July 03, 2019

In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.

Insufficiently Protected Credentials