In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
jetbrains
CVE-2022-24347
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
CVE-2022-24344
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.