Vulnerability notification 2: User Profiles for Jira

Summary

cross-site request forgery vulnerability in User Profiles for Jira

Advisory Release Date

16 February 2021

Product

User Profiles for Jira

Affected Versions

all User Profiles for Jira versions until 2.4.2

Fixed Version

2.4.2

Problem

We were able to identify a security vulnerability in our User Profiles for Jira app. The vulnerability allows any logged-in user to force an administrator to change the Company Chat App Integration.

The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

Solution

If you are using User Profiles for Jira in one of the affected versions until 2.4.1 please update to User Profiles for Jira 2.4.2.

Root Cause

Because of a missing XSRF security token check, the url could be embedded into a content of Jira and an administrator would execute it without noticing.