cross-site request forgery vulnerability in User Profiles for Jira
Advisory Release Date
16 February 2021
User Profiles for Jira
all User Profiles for Jira versions until 2.4.2
We were able to identify a security vulnerability in our User Profiles for Jira app. The vulnerability allows any logged-in user to force an administrator to change the Company Chat App Integration.
The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
If you are using User Profiles for Jira in one of the affected versions until 2.4.1 please update to User Profiles for Jira 2.4.2.
Because of a missing XSRF security token check, the url could be embedded into a content of Jira and an administrator would execute it without noticing.