JetBrains多产品安全漏洞汇总（含RCE/XSS/账号接管）

关键漏洞信息总结 1. DataLore JWT Token Takeover: Potential JWT token takeover using a redirect misconfiguration. Resolved internally. Session Management: No way to drop all active sessions. Resolved internally. 2. JetBrains Account OTP Reuse: OTP could be reused after successful validation. Resolved. OAuth Integration: Account takeover risk during OAuth integration. Resolved. 3. JetBrains Websites XSS Vulnerability: Reflected XSS on jetbrains.com. Resolved internally. 4. Hub CSP Insufficiency: Potentially insufficient CSP for widget deployment. Resolved. Account Takeover: Account takeover possible during password reset. Resolved. HTML Injection: HTML injection in password reset email. Resolved. 5. RubyMine Code Execution: Possible without user confirmation for untrusted projects. Resolved. 6. Space Package Repositories: Deprecated organization-wide repositories publicly accessible. Resolved internally. 7. TeamCity XSS Vulnerability: Potential XSS vulnerability. Resolved. Insecure Deserialization: Multiple vulnerabilities identified. Resolved. Authentication Issues: Insufficient authentication for agent requests. Resolved. Insecure Key Generation: Insecure key generation for encrypted properties. Resolved. File Upload Vulnerabilities: Insufficient checks while uploading files. Resolved. Plaintext Password Storage: Plaintext passwords stored in VCS. Resolved. 8. YouTrack Sandboxing Insufficiency: Insufficient sandboxing in workflows. Resolved. Comparisons Vulnerability: Time-unsafe comparisons. Resolved. Password Hashing: SHA-256 used for hashing passwords. Resolved. PRNG Vulnerability: Insecure PRNG usage. Resolved. XSS Vulnerabilities: Reflected and stored XSS. Resolved. Permissions Issue: Users could view boards without necessary permissions. Resolved.

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

JetBrains多产品安全漏洞汇总（含RCE/XSS/账号接管）

目标达成感谢每一位支持者 — 我们达成了 100% 目标！