A security issue was fixed on December, 12/29/2020.
Nature of the issue
A security vulnerability was recently identified in Elements Checklist.
The vulnerability affected version 1.2.21-AC of Elements Checklist. The vulnerability meant that data stored in checklists may have been compromised from July, 20th to December 29th 2020.
This vulnerability has been rated as medium, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our attention by the Atlassian Bug Bounty program.
Based on our investigations, the vulnerability may have lead Jira users to execute malicious code in Jira issues through checklist.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin, which was that an XSS injection was possible in checklist fields (value/default value). Based on what we found, we added the library dompurify to sanitize fields. This vulnerability is now fixed.
Then we worked with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.