CVE-2021-43193: JetBrains Security Bulletin Q3 2021 | JetBrains News

In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.

In JetBrains TeamCity before 2021.1.2, stored XSS is possible.

In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.

In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.

In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.

In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.

JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.

In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.