Teamcity
Monthly
In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.3 stored XSS was possible during Cloud Profiles configuration. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 authentication checks were missing - 2FA was not checked for some sensitive account actions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status Publisher window was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, stored XSS is possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, user enumeration was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.3 stored XSS was possible during Cloud Profiles configuration. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 authentication checks were missing - 2FA was not checked for some sensitive account actions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status Publisher window was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, stored XSS is possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, user enumeration was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.