In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.

In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.

In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.

In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.

In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.