In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.