Skip to main content
Skip table of contents

2022/03/16 - Security improvements

A security issue was fixed on March 16th 2022.

Nature of the issue

A security vulnerability was recently identified in Elements Publish to Confluence.
The vulnerability affected version 1.0.18-AC of Elements Publish to Confluence. The vulnerability meant an attacker could build requests containing scripts run by our application.

This vulnerability has been rated as low, according to the scale published on the Common Vulnerability Scoring System (CVSS), and existed from February, 17th 2022 to March, 16th 2022.

The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program


Based on our investigations, the vulnerability meant that a request could be built by an attacker where it would replace the value of a query parameter with a script that will be executed. 

This vulnerability could only be exploited by volontarily adding a script in an URL from a browser. It then could only impact the person using the browser, because HTTPS communication prevents the presence of a man in the middle. Consequently, no Jira data or Jira end-users were compromised.

Analysis and actions taken

Once we became aware of the issue, we reproduced and identified the problem's origin: an expected query parameter was not sanitized when called directly from a browser. As a solution, we sanitized the value of this parameter with a dedicated library.
Now, since the value of the parameter must match the values of a predefined list, if this value does not match then the request is rejected.

This vulnerability is now fixed.

We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.


We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.