Security Issues Resolved in YouTrack in 2017

Last year we resolved a series of security issues in YouTrack and Hub that were not included as part of the release notes. Starting this year, we are planning to share quarterly reports about which security issues were fixed in YouTrack.

Below is a summary of some of the more important security issues resolved, including the description and the version that was affected and in which they were resolved.

Description Severity Affected versions Resolved in
Attachment preview functionality allowed injected Javascript code to be executed in a browser. JT-9052, JT-42119, JT-44497 High 2017.4.x 2017.4.37933
Insufficient verification of issue linkage permission within the creation of a linked issue led to unauthorized linking of a newly created issue. JT-25321 Low <2017.3.x 2017.3.33585
Entering invalid credentials with Jira integration enabled unauthorized access as a previously authorized user. JT-40364, JPS-5307 Moderate 2017.1.x 2017.1.31650
Mentioning a user in a comment with limited visibility triggered an email notification to the user, even though they could not access the comment. JT-41146 Moderate 2017.2.31873 2017.3.37198
A BEAST attack could be performed on a YouTrack InCloud setup. JT-42572 Moderate <2017.3.34922 2017.3.34922
Mobile version of YouTrack allowed a visitor to access comments with visibility limited to a certain user. JT-44043, JT-44052 High 2017.2.33766 2017.4.37623
Issue content could be accessed by a disabled guest user. JT-44255, JT-45284 Critical 2017.3.37328 2017.4.39083
Hub authorization module was vulnerable to content spoofing. JPS-5878 Note <2017.2.5942 2017.2.5942
Hub was vulnerable to a clickjacking attack. JPS-7209 High <2017.4.8040 2017.4.8040

The latest versions of YouTrack with fixes for the different issues are available on our website. If you’re using YouTrack InCloud, please note that no action is required on your part.

If you need any further assistance, please contact our Support Engineers.

Your YouTrack Team
The Drive to Develop

image description