| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive |
| In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings |
| In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning. |
| In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators. |
| Cross-site scripting (XSS) vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to inject arbitrary web script or HTML via the cameFromUrl parameter to feed/generateFeedUrl.html. |
| Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors. |
| In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents. |
| In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process. |
| In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process. |
| In JetBrains TeamCity before 2022.10.3 stored XSS in Perforce connection settings was possible |
| In JetBrains TeamCity before 2022.10.3 stored XSS on the SSH keys page was possible |
| In JetBrains TeamCity before 2022.10.3 stored XSS on “Pending changes” and “Changes” tabs was possible |
| In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases |
| In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint |
| In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool |
| In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page |
| In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens |
| In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions |
| In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions |
