This is a list of all fixed issues in 9.1 release. See also What's New in TeamCity 9.1 in the online documentation.

See also:

TeamCity 9.0.5 (build 32523) Release Notes

Feature

Usability Problem

Bug

Exception

Performance Problem

Security Problem

The issues will be made public in the future

{hidden-data}the same with links
h3. Security Problem
* [TW-17757|http://youtrack.jetbrains.net/issue/TW-17757] - Require current password input on changing password
* [TW-39227|http://youtrack.jetbrains.net/issue/TW-39227] - JavaScript injection via build tag in run custom build dialog
* [TW-40497|http://youtrack.jetbrains.net/issue/TW-40497] - TeamCity can remember user logged in with "Remember me" unselected
* [TW-41290|http://youtrack.jetbrains.net/issue/TW-41290] - XSS with editingScope parameter on /editVcsRoot.html page
* [TW-41291|http://youtrack.jetbrains.net/issue/TW-41291] - XSS with notificatorType parameter on /admin/editGroup.html page
* [TW-41292|http://youtrack.jetbrains.net/issue/TW-41292] - XSS with runTypeInfoKey parameter on /admin/editRunType.html page
* [TW-41294|http://youtrack.jetbrains.net/issue/TW-41294] - XSS on YouTrack issue tracker test connection
* [TW-41343|http://youtrack.jetbrains.net/issue/TW-41343] - XSS on generateFeedUrl.html
* [TW-41344|http://youtrack.jetbrains.net/issue/TW-41344] - XSS with username field on registerUser.html
* [TW-41345|http://youtrack.jetbrains.net/issue/TW-41345] - It is possible to change external id without having permissions for the project
* [TW-41346|http://youtrack.jetbrains.net/issue/TW-41346] - XSS on project.html page
* [TW-41347|http://youtrack.jetbrains.net/issue/TW-41347] - XML bomb can be uploaded via upload meta-runner action causing denial of service
* [TW-41348|http://youtrack.jetbrains.net/issue/TW-41348] - XXE attack is possible via upload plugin form 
* [TW-41349|http://youtrack.jetbrains.net/issue/TW-41349] - XSS with backup file name on backup page
* [TW-41351|http://youtrack.jetbrains.net/issue/TW-41351] - XSS problem on the diffView.html page
* [TW-41526|http://youtrack.jetbrains.net/issue/TW-41526] - HTML injection in Label build feature
* [TW-41533|http://youtrack.jetbrains.net/issue/TW-41533] - XXE and Xml bomb attacks possible via teamcity-info.xml
* [TW-41696|http://youtrack.jetbrains.net/issue/TW-41696] - JavaScript injection from debugging tracing data (off by default)
* [TW-41758|http://youtrack.jetbrains.net/issue/TW-41758] - XSS on project builds schedule page
* [TW-41759|http://youtrack.jetbrains.net/issue/TW-41759] - XSS is possible via rootURL parameter on cloud profile page and RSS feed page
* [TW-41785|http://youtrack.jetbrains.net/issue/TW-41785] - XSS on agent push page
{hidden-data}

Cosmetics