Vulnerability notification 2: RemindMe for Jira

Summary

Administration actions can be performed by any Confluence user

Advisory Release Date

21 January 2021 

Product

RemindMe for Jira

Affected Versions

all RemindMe for Jira versions until 1.3.3

Fixed Version

1.3.4

Problem

We were able to identify security vulnerabilities in our RemindMe for Jira app.

The vulnerabilites allows any logged-in user to delete all filters and subscriptions and to (re-)send the reminders for a specific date.

The vulnerabilitiy to delete the filters and subscriptions has been rated as P4 (LOW) and the vulnerabilitiy to (re-)send the reminders has been rated as P3 (Medium) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

All versions of RemindMe for Jira until version 1.3.3 are affected by this vulnerabilities.

Solution

If you are using an affected version of RemindMe for Jira, please immediately upgrade to version 1.3.4.

Root Cause

Security tokens are missing.