JetBrains Youtrack
By the Year
In 2023 there have been 0 vulnerabilities in JetBrains Youtrack . Last year Youtrack had 7 security vulnerabilities published. Right now, Youtrack is on track to have less security vulnerabilities in 2023 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 7 | 5.87 |
| 2021 | 21 | 6.56 |
| 2020 | 18 | 5.89 |
| 2019 | 11 | 7.70 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Youtrack vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Youtrack Security Vulnerabilities
In JetBrains YouTrack before 2022.1.43563 HTML code
CVE-2022-28648
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
XSS
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe
CVE-2022-28649
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
Clickjacking
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2022-28650
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
XSS
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)
CVE-2022-24442
9.8 - Critical
- February 25, 2022
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
Injection
In JetBrains YouTrack before 2021.4.31698
CVE-2022-24343
4.3 - Medium
- February 25, 2022
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
Incorrect Default Permissions
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
CVE-2022-24344
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
XSS
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS
CVE-2022-24347
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
XSS
In JetBrains YouTrack before 2021.3.21051
CVE-2021-43184
5.4 - Medium
- November 09, 2021
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
XSS
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
CVE-2021-43185
9.8 - Critical
- November 09, 2021
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
Injection
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
CVE-2021-43186
5.4 - Medium
- November 09, 2021
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
XSS
In JetBrains YouTrack before 2021.3.21051
CVE-2021-37554
4.3 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
Information Disclosure
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37550
7.5 - High
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
Incorrect Comparison
In JetBrains YouTrack before 2021.1.11111
CVE-2021-37549
9.1 - Critical
- August 06, 2021
In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.
In JetBrains YouTrack before 2021.2.17925
CVE-2021-37552
5.4 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
XSS
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37553
7.5 - High
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
PRNG
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37551
5.3 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
Use of Password Hash With Insufficient Computational Effort
In JetBrains YouTrack before 2020.6.6441, stored XSS was possible
CVE-2021-27733
5.4 - Medium
- May 11, 2021
In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.
XSS
In JetBrains YouTrack before 2020.6.6600
CVE-2021-31902
7.5 - High
- May 11, 2021
In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
Incorrect Permission Assignment for Critical Resource
In JetBrains YouTrack before 2021.1.9819
CVE-2021-31903
6.1 - Medium
- May 11, 2021
In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.
XSS
In JetBrains YouTrack before 2020.6.8801
CVE-2021-31905
7.5 - High
- May 11, 2021
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
Information Disclosure
In JetBrains YouTrack before 2020.6.1099
CVE-2021-25771
4.3 - Medium
- February 03, 2021
In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.
Information Disclosure
In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible
CVE-2021-25770
9.8 - Critical
- February 03, 2021
In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.
Code Injection
In JetBrains YouTrack before 2020.4.6808
CVE-2021-25769
7.5 - High
- February 03, 2021
In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users
CVE-2020-25208
5.3 - Medium
- February 03, 2021
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
Incorrect Default Permissions
In JetBrains YouTrack before 2020.4.4701
CVE-2021-25768
5.3 - Medium
- February 03, 2021
In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.
In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed
CVE-2021-25767
5.3 - Medium
- February 03, 2021
In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.
Information Disclosure
In JetBrains YouTrack before 2020.4.4701
CVE-2021-25766
5.3 - Medium
- February 03, 2021
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.
In JetBrains YouTrack before 2020.4.4701, CSRF
CVE-2021-25765
8.8 - High
- February 03, 2021
In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
Session Riding
In JetBrains YouTrack before 2020.3.888
CVE-2020-27625
5.3 - Medium
- November 16, 2020
In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
CVE-2020-27626
5.3 - Medium
- November 16, 2020
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
XSPA
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
CVE-2020-27624
5.3 - Medium
- November 16, 2020
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
XSPA
In JetBrains YouTrack before 2020.3.7955
CVE-2020-25210
5.3 - Medium
- November 16, 2020
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
Information Disclosure
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure
CVE-2020-25209
7.5 - High
- November 16, 2020
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
Information Disclosure
Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android
CVE-2020-24366
3.3 - Low
- November 16, 2020
Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.
Information Disclosure
In JetBrains YouTrack before 2020.2.10514, SSRF is possible
CVE-2020-15822
7.3 - High
- October 19, 2020
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
XSPA
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker
CVE-2020-24618
6.5 - Medium
- August 27, 2020
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15823
7.5 - High
- August 08, 2020
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
XSPA
In JetBrains YouTrack before 2020.2.6881
CVE-2020-15821
6.5 - Medium
- August 08, 2020
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
Incorrect Default Permissions
In JetBrains YouTrack before 2020.2.6881
CVE-2020-15820
5.3 - Medium
- August 08, 2020
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
Information Disclosure
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF
CVE-2020-15819
5.3 - Medium
- August 08, 2020
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
XSPA
In JetBrains YouTrack before 2020.2.8527
CVE-2020-15818
5.3 - Medium
- August 08, 2020
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
Information Disclosure
In JetBrains YouTrack before 2020.1.1331
CVE-2020-15817
8.8 - High
- August 08, 2020
In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.
Code Injection
JetBrains YouTrack before 2020.1.659 was vulnerable to DoS
CVE-2020-11693
7.5 - High
- April 22, 2020
JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue.
Improper Input Validation
In JetBrains YouTrack before 2020.1.659
CVE-2020-11692
2.7 - Low
- April 22, 2020
In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators.
Incorrect Default Permissions
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS
CVE-2020-7913
6.1 - Medium
- January 30, 2020
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.
XSS
In JetBrains YouTrack before 2019.2.59309
CVE-2020-7912
5.3 - Medium
- January 30, 2020
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
Exposure of Resource to Wrong Sphere
In JetBrains YouTrack before 2019.2.55152, removing tags
CVE-2019-18369
5.3 - Medium
- October 31, 2019
In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
Incorrect Default Permissions
In JetBrains YouTrack through 2019.2.56594
CVE-2019-16171
6.1 - Medium
- October 02, 2019
In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
XSS
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
CVE-2019-15040
8.8 - High
- October 02, 2019
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
Session Riding
JetBrains YouTrack before 2019.2.53938 was using incorrect settings
CVE-2019-14956
4.3 - Medium
- October 02, 2019
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
Improper Preservation of Permissions
JetBrains YouTrack versions before 2019.1.52545
CVE-2019-15041
6.1 - Medium
- October 01, 2019
JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.
Open Redirect
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
CVE-2019-14952
6.1 - Medium
- October 01, 2019
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
XSS
An SSRF attack was possible on a JetBrains YouTrack server
CVE-2019-12852
9.8 - Critical
- July 03, 2019
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
XSPA
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack
CVE-2019-12867
9.8 - Critical
- July 03, 2019
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack
CVE-2019-12866
9.8 - Critical
- July 03, 2019
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
Insecure Direct Object Reference / IDOR
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack
CVE-2019-12851
8.8 - High
- July 03, 2019
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
Session Riding
A query injection was possible in JetBrains YouTrack
CVE-2019-12850
9.8 - Critical
- July 03, 2019
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Youtrack or by JetBrains? Click the Watch button to subscribe.
