Youtrack JetBrains Youtrack

  1. Vendors
  2. JetBrains
  3. Youtrack
Do you want an email whenever new security vulnerabilities are reported in JetBrains Youtrack?

By the Year

In 2024 there have been 1 vulnerability in JetBrains Youtrack with an average score of 5.4 out of ten. Last year Youtrack had 4 security vulnerabilities published. Right now, Youtrack is on track to have less security vulnerabilities in 2024 than it did last year. Last year, the average CVE base score was greater by 0.73

Year Vulnerabilities Average Score
2024 1 5.40
2023 4 6.13
2022 7 5.87
2021 21 6.56
2020 18 5.89
2019 11 7.70
2018 0 0.00

It may take a day or so for new Youtrack vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Youtrack Security Vulnerabilities

In JetBrains YouTrack before 2023.3.22666 stored XSS

CVE-2024-22370 5.4 - Medium - January 09, 2024

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible

XSS

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

CVE-2023-50871 4.3 - Medium - December 15, 2023

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

CVE-2023-38068 7.3 - High - July 12, 2023

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

Insufficient anti-automation

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible

CVE-2023-35053 7.5 - High - June 12, 2023

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

CVE-2023-35054 5.4 - Medium - June 12, 2023

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

XSS

In JetBrains YouTrack before 2022.1.43563 HTML code

CVE-2022-28648 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered

XSS

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe

CVE-2022-28649 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description

Clickjacking

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

CVE-2022-28650 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

XSS

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)

CVE-2022-24442 9.8 - Critical - February 25, 2022

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

Code Injection

In JetBrains YouTrack before 2021.4.31698

CVE-2022-24343 4.3 - Medium - February 25, 2022

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.

Incorrect Default Permissions

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

CVE-2022-24344 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

XSS

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS

CVE-2022-24347 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

XSS

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

CVE-2021-43186 5.4 - Medium - November 09, 2021

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

XSS

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

CVE-2021-43185 9.8 - Critical - November 09, 2021

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

Injection

In JetBrains YouTrack before 2021.3.21051

CVE-2021-43184 5.4 - Medium - November 09, 2021

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.

XSS

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37551 5.3 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

Use of Password Hash With Insufficient Computational Effort

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37553 7.5 - High - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.

PRNG

In JetBrains YouTrack before 2021.2.17925

CVE-2021-37552 5.4 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.

XSS

In JetBrains YouTrack before 2021.3.21051

CVE-2021-37554 4.3 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.

Information Disclosure

In JetBrains YouTrack before 2021.1.11111

CVE-2021-37549 9.1 - Critical - August 06, 2021

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37550 7.5 - High - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.

Incorrect Comparison

In JetBrains YouTrack before 2020.6.6441, stored XSS was possible

CVE-2021-27733 5.4 - Medium - May 11, 2021

In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.

XSS

In JetBrains YouTrack before 2020.6.6600

CVE-2021-31902 7.5 - High - May 11, 2021

In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.

Incorrect Permission Assignment for Critical Resource

In JetBrains YouTrack before 2021.1.9819

CVE-2021-31903 6.1 - Medium - May 11, 2021

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.

XSS

In JetBrains YouTrack before 2020.6.8801

CVE-2021-31905 7.5 - High - May 11, 2021

In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.

Information Disclosure

In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed

CVE-2021-25767 5.3 - Medium - February 03, 2021

In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.

Information Disclosure

In JetBrains YouTrack before 2020.4.4701

CVE-2021-25768 5.3 - Medium - February 03, 2021

In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.

In JetBrains YouTrack before 2020.4.6808

CVE-2021-25769 7.5 - High - February 03, 2021

In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible

CVE-2021-25770 9.8 - Critical - February 03, 2021

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.

Code Injection

In JetBrains YouTrack before 2020.6.1099

CVE-2021-25771 4.3 - Medium - February 03, 2021

In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.

Information Disclosure

In JetBrains YouTrack before 2020.4.4701

CVE-2021-25766 5.3 - Medium - February 03, 2021

In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.

In JetBrains YouTrack before 2020.4.4701, CSRF

CVE-2021-25765 8.8 - High - February 03, 2021

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.

Session Riding

In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users

CVE-2020-25208 5.3 - Medium - February 03, 2021

In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.

Incorrect Default Permissions

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.

CVE-2020-27626 5.3 - Medium - November 16, 2020

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.

XSPA

In JetBrains YouTrack before 2020.3.888

CVE-2020-27625 5.3 - Medium - November 16, 2020

In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.

JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.

CVE-2020-27624 5.3 - Medium - November 16, 2020

JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.

XSPA

In JetBrains YouTrack before 2020.3.7955

CVE-2020-25210 5.3 - Medium - November 16, 2020

In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.

Information Disclosure

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure

CVE-2020-25209 7.5 - High - November 16, 2020

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.

Information Disclosure

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android

CVE-2020-24366 3.3 - Low - November 16, 2020

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.

Information Disclosure

In JetBrains YouTrack before 2020.2.10514, SSRF is possible

CVE-2020-15822 7.3 - High - October 19, 2020

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.

XSPA

In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker

CVE-2020-24618 6.5 - Medium - August 27, 2020

In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.

In JetBrains YouTrack before 2020.2.8527

CVE-2020-15818 5.3 - Medium - August 08, 2020

In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.

Information Disclosure

In JetBrains YouTrack before 2020.1.1331

CVE-2020-15817 8.8 - High - August 08, 2020

In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.

Code Injection

JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF

CVE-2020-15819 5.3 - Medium - August 08, 2020

JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.

XSPA

In JetBrains YouTrack before 2020.2.6881

CVE-2020-15821 6.5 - Medium - August 08, 2020

In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.

Incorrect Default Permissions

In JetBrains YouTrack before 2020.2.6881

CVE-2020-15820 5.3 - Medium - August 08, 2020

In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.

Information Disclosure

JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.

CVE-2020-15823 7.5 - High - August 08, 2020

JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.

XSPA

JetBrains YouTrack before 2020.1.659 was vulnerable to DoS

CVE-2020-11693 7.5 - High - April 22, 2020

JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue.

Improper Input Validation

In JetBrains YouTrack before 2020.1.659

CVE-2020-11692 2.7 - Low - April 22, 2020

In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators.

Incorrect Default Permissions

JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS

CVE-2020-7913 6.1 - Medium - January 30, 2020

JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.

XSS

In JetBrains YouTrack before 2019.2.59309

CVE-2020-7912 5.3 - Medium - January 30, 2020

In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.

Exposure of Resource to Wrong Sphere

In JetBrains YouTrack before 2019.2.55152, removing tags

CVE-2019-18369 5.3 - Medium - October 31, 2019

In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.

Incorrect Default Permissions

In JetBrains YouTrack through 2019.2.56594

CVE-2019-16171 6.1 - Medium - October 02, 2019

In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.

XSS

JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.

CVE-2019-15040 8.8 - High - October 02, 2019

JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.

Session Riding

JetBrains YouTrack before 2019.2.53938 was using incorrect settings

CVE-2019-14956 4.3 - Medium - October 02, 2019

JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.

Improper Preservation of Permissions

JetBrains YouTrack versions before 2019.1.52545

CVE-2019-15041 6.1 - Medium - October 01, 2019

JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.

Open Redirect

JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.

CVE-2019-14952 6.1 - Medium - October 01, 2019

JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.

XSS

An SSRF attack was possible on a JetBrains YouTrack server

CVE-2019-12852 9.8 - Critical - July 03, 2019

An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.

XSPA

Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack

CVE-2019-12867 9.8 - Critical - July 03, 2019

Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack

CVE-2019-12866 9.8 - Critical - July 03, 2019

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.

Insecure Direct Object Reference / IDOR

A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack

CVE-2019-12851 8.8 - High - July 03, 2019

A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.

Session Riding

A query injection was possible in JetBrains YouTrack

CVE-2019-12850 9.8 - Critical - July 03, 2019

A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.

SQL Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for JetBrains Youtrack or by JetBrains? Click the Watch button to subscribe.

JetBrains
Vendor

JetBrains Youtrack
Product

subscribe