| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS |
| In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack |
| In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools |
| In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector |
| In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter |
| In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent |
| In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token |
| In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible |
| In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible |
| In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible |
| In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed |
