This email is to inform you that a security vulnerability has been discovered in Email This Issue for Jira. Below we aim to share more about the vulnerability and how it can be fixed or temporarily bypassed with a workaround.
About the vulnerability
The vulnerability has been discovered affecting the Email audit log and its items in all versions of the app. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.
The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicous links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.
Below is an exact example with a screenshot:
https://aday.news/site/assets/files/1036/email-this-issue-screenshot.png (24 kB)
This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.
Once we became aware of the vulnerability, we considered our options and fixed it immediately.
How to fix the vulnerability
If you are using version 8.0.0 of the application
Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.
If you are using version 7.1.5 of the application
You can safely upgrade to version 8.0.1.
8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.
If you are using an older version of the application
We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.
The official instructions for updating the application are available on the Atlassian support page ( https://confluence.atlassian.com/upm/updating-apps-273875710.html).
If you are unable to update Email This Issue for Jira to version 8.0.1, please follow the below steps as a temporary workaround:
1. Navigate to Email This Issue administration’s General Configuration
2. Select „Hide” in the Email Audit Log’s dropdown menu.
Note that this workaround can be applied to versions 5.3 or higher.
As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated).
Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.
If you have any questions, please raise a support request referencing „SA-20201” in the summary or send us an email to firstname.lastname@example.org and include „SA-20201” in the subject.
The META-INF Team
If you need any assistance please contact our Support Team.