In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible.

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.

In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.

In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.

In JetBrains TeamCity before 2021.1.2, stored XSS is possible.

In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.

In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.

In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.

In JetBrains TeamCity before 2021.1.2, user enumeration was possible.

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.

In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.

In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made.

In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.

In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made.

In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.

In JetBrains TeamCity before 2020.2.3, XSS was possible.

In JetBrains TeamCity before 2020.2.4, OS command injection leading to remote code execution was possible.

In JetBrains TeamCity before 2020.2.4 on Windows, arbitrary code execution on TeamCity Server was possible.

In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.