We have resolved a series of security issues in our products in the fourth quarter of 2018. Here’s a report summary with descriptions of each issue and the version in which they were resolved.
|Hub, Upsource||Admin account takeover of a system authorized with Hub was possible (JPS-9594)||Critical||2018.3.11035|
|Hub, Upsource||XXE was possible (JPS-9616, UP-10218 )||High||2018.4.11067|
|JetBrains Account||Disclosure of email address within unsuccessful login attempt (JPF-8663)||High||4.11|
|TeamCity||Reflected XSS on user-level pages (TW-58065, TW-58234)||High||2018.2|
|TeamCity||Stored XSS on the build details page (TW-58129, TW-58138)||High||2018.2|
|TeamCity||Exposure of sensitive parameter value to a privileged user was possible (TW-56946)||Moderate||2018.1.3|
|Upsource||A privileged user had access to user credentials in rare case (UP-10092)||Moderate||2018.2.1141|
|Unauthorized disclosure of YouTrack InCloud subscription information was possible (JPF-8714, JT-51001)||High||2018.4.48293|
|YouTrack||Unauthorized access to project and user details with guest user banned was possible (JT-50970, JT-49827, JT-50611, JT-50203)||High||2018.3.47010|
|YouTrack||Unauthorized access to the email address of YouTrack InCloud was possible (JT-50946)||High||2018.4.48293|
|YouTrack||Stored XSS on YouTrack issue page (JT-50201)||Low||2018.3.47965|
If you need any further assistance, please contact our Support Engineers.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop