2021/02/05 - Security improvements
A security issue was fixed on February, 5th 2021.
Nature of the issue
A security vulnerability was recently identified in Elements Copy & Sync.
The vulnerability affected version 1.0.16-AC of Elements Copy & Sync. The vulnerability meant that Copy & Sync recipe configuration may have been compromised from October, 1st 2020 to February, 5th 2021.
This vulnerability has been rated as low, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our attention by the Bug Bounty program.
Impact
Based on our investigations, the vulnerability may have lead a Jira admin user to inject runnable Javascript that could then be executed in the browser of another Jira admin within the Copy & Sync configuration page.
This only impacted one pop-up in Copy & Sync configuration that could only be accessed by Jira admins. No Jira data or Jira end-user were compromised.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin, which was a too broad acceptance of HTML language options in the recipe deletion pop-up of our administration page. Based on what we found, we sanitized this vulnerability. This vulnerability is now fixed.
Then we worked with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.