Skip to main content
Skip table of contents

2024/10/10- P3 Security Issue

A security issue was fixed on November 26th 2024.

Nature of the issue

A security vulnerability was recently identified in Elements Overview.
The vulnerability meant that any user logged to the Customer Portal could access and therefore leak potentially sensitive issue data through the error message thrown by the testDynamicJqlQuery functionKey.

This vulnerability has been rated as moderate, according to the scale published on the Common Vulnerability Scoring System (CVSS), and existed from October, 10th 2024 to November, 26th 2024.

The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program

Impact

Based on our investigations, the vulnerability meant that any user logged in to the Customer Portal could access and therefore leak potentially sensitive issue data through the error message thrown by the testDynamicJqlQuery functionKey.

Analysis and actions taken

Once we became aware of the issue, we reproduced and identified the origin of the problem.

The issue occurs because two functions are incorrectly sending requests on behalf of the user (which should be the default behavior). Instead, when the customer portal is loaded, a system setting is accidentally changed, causing all following requests to be sent as the app instead of the user. This affects multiple requests, not just the current one.

To fix this, we updated the code to ensure each function sends requests as the appropriate user. From now on, customers who don’t have the necessary permissions will see a “forbidden” error message in the response.

This vulnerability is now fixed.

We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close