| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases |
| In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms |
| In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log |
| In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads |
| In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible |
| In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log |
| In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible |
| In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations |
| In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible |
| The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
|
| An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission.
This issue affects OTRS: from 8.0.X before 8.0.35.
|
| An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.
This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.
|
| Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
| A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation. |
| A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation. |
