Email This Issue
📈 Marketplace❓ Support❤️ Feedback🏠 META-INF Apps
Email This Issue - for Jira Server/Data Center
Email This Issue - for Jira Server/Data Center
  • ⬇️Start Here
  • Email This Issue - for Jira Server/DC
  • Features
  • Secure the email channel with Email This Issue
  • Comparing Email This Issue and Jira Server/DC
  • 🤓Documentation
    • Outgoing Emails
      • Sending manual emails
        • The difference between email editors
        • Enabling template categories so templates can be chosen on the Email screen
        • Mail Generation Queue (formerly called Event Queue)
        • Manual Email Default Settings
      • Sending issue filters by email
      • Email templates
        • Adding custom macro to email templates
        • Adding Email Audit Log to email templates
        • Adding fields to email templates
        • Adding issue comments to emails
        • Adding issue link information to your template
        • Adding issue operation links to the email
        • Adding a signature with a company logo to emails
        • Adding user properties to emails
        • Disabling links and avatars or icons in templates
        • Formatting Date and Time values
        • Using reply templates
        • Using Mail Body Initializer templates
        • Rendering templates within templates
        • Velocity Context in email templates
        • Formatting number values
        • Searching for issues in email templates
        • Changelog information in email templates
        • Canned responses
      • Contexts
        • Context Resolution Algorithm
      • Event Notifications
      • Distribution lists
      • Workflow post functions
      • Custom fields
    • Incoming Emails
      • Attachment Filtering
      • Next Generation Mail Handlers
        • Jira automation and Next Generation Mail Handlers
        • Using regular expressions
      • Classic Mail Handlers - Deprecated
        • Mail Handler Error Log
        • Step-by-step Classic Mail Handler to Next Generation Mail Handler migration aid
        • Field Rules
        • Phasing out the Classic Mail Handler
        • Comparing the Classic and the Next Generation Mail Handlers
    • Integrations
      • CRM for Jira
      • nFeed
      • Glass Documentation
      • API - Integration with other services
    • Administration
      • General configuration
      • Email Audit Log
      • Outgoing Mail Connections
      • Outgoing Mail Queue
      • Incoming Mail Connections
      • Incoming Mail Queue
      • Incoming Mail Log
      • Backup and restore settings
        • Backup and restore administration
          • Backup menu
          • Restore menu
        • Backup and Restore Tutorials
          • Backup and restore for empty email settings
          • Backup and restore only parts of a configuration
          • Backup and restore every setting in the same instance
      • OAuth2 Authorizations in Email This Issue
        • OAuth2 Client Credentials
        • Authorizing Email This Issue to access Gmail accounts
        • Authorizing Email This Issue to access Microsoft 365 accounts
        • Enabling OAuth2 Authorization in your Google Account
        • Enabling OAuth2 authorization in your Microsoft 365 account
        • Troubleshooting guides for Microsoft OAuth2 Connections
          • How to fix "Authorization Was Interrupted" error
          • How to fix "BAD User is authenticated but not connected" error
          • How to fix "401 Unauthorized" error
          • How to fix "key expires_in " error
          • How to fix "Need admin approval" error
      • Alerting via Webhooks
        • Webhooks
          • Configuring Slack to receive webhooks
          • Configuring OpsGenie to receive webhooks
        • Webhook execution logs
      • Email Security
    • Service management integration
    • JQL Functions
    • Top-level menu navigation
  • ☁️Server to Cloud Migration
    • Server to Cloud - Automatic Migration tool
    • Server to Cloud - Manual migration guide for Email This Issue
      • Overview of available features
      • Differences of the Server and Cloud user interface
      • Migrating Outgoing Settings
        • Migrating Templates
        • Migrating Notifications
        • Migrating Manual Email Defaults
        • Migrating Contexts
        • Migrating Canned Responses
        • Migrating Post Functions
        • Migrating Outgoing Mail Connections
      • Migrating Incoming Settings
        • Migrating Classic Mail Handlers
        • Migrating Next Generation Mail Handlers
        • Migrating Incoming Mail Connections
        • Migrating Incoming Mail Queue Settings
        • Migrating Incoming Mail Log Settings
      • Migrating Other Settings
        • Migrating OAuth2 Credentials
        • Migrating global default email settings
        • Migrating permissions for sending emails manually
        • Migrating recipient restrictions
  • ❓FAQ
    • FAQ
      • How to bypass workflow conditions
      • How to avoid email loops
      • How to control who to send emails to
      • How to customize Email From in outgoing emails
      • How to enable logging
      • How to install license keys
      • How to find out why the Email button is missing
      • How to obtain a community or non-profit license
      • How to prevent duplicate emails
      • How to remove old content from reply emails
      • How to send personalized emails to recipients
      • How to set up auto-reply or acknowledgment emails
      • How to track cases when you don't get any emails
      • How to view the log of incoming and outgoing emails
      • The iOS Mail app does not show attachments
      • How to route emails to projects
      • How to maintain email threads in Jira
      • How to fix issues with a corrupt index state
      • How to set polling interval for mail accounts manually
    • Tutorials
      • Configuring email approval
      • Customizing the email template used with manual emails
      • Enhance Jira Service Management with Email This Issue
      • Getting Started
      • Setting up an Email Help Desk
      • Setting up customized notifications
      • Setting up a Service Management with a Next-Gen Mail Handler
  • 🌪️Misc
    • Open Source Components
    • Pricing Updates
      • Pricing Update effective October 1st 2018
      • Pricing Update effective December 1, 2021
    • End of Support Policy
    • Security Advisories
      • Email This Issue Security Advisory 2020-02-18
    • Database Tables
    • Translations
  • 🆕Release Notes
    • Release notes
      • 9.x.x
        • 9.15.0 Jira 10 compatibility
        • 9.13.0 Improvements and Fixes
        • 9.11.0 Improvements and fixes
        • 9.10.0 Major improvements and fixes
        • 9.9.1 Improvements and fixes
        • 9.9.0.2 Major improvements and fixes
        • 9.8.0 Improvements and fixes
        • 9.7.0 Improvements and fixes
        • 9.6.0 Improvements and fixes
        • 9.5.0 Improvements and fixes
        • 9.4.0 Bugfixes
        • 9.3.3. Improvements and fixes
        • 9.3.2 Major improvements
        • 9.3.1 Automatic cloud migration
        • 9.2.2.1 Bugfixes
        • 9.2.2 Improvements and fixes
        • 9.2.1.3 Compatibility changes for Jira 9.0.0
        • 9.2.1 Major improvements
        • 9.2.0 Improvements and fixes
        • 9.1.1 Improvements and fixes
        • 9.1.0.1 Alerting and other major new features
        • 9.0.2 Bugfixes, next step in deprecating the Classic Mail Handler
        • 9.0.1 Minor improvement and fixes
        • 9.0.0 Major improvements
        • 9.12.0 Improvement and fixes
        • 9.17 Improvements and Fixes
        • 9.18.0 Improvements and fixes
      • 8.1.x
        • 8.1.3 Classic handler is deprecated, timezone support, bug fixes
        • 8.1.2 Important bug fixes
        • 8.1.1 Microsoft 365 OAuth2, improvements and fixes
        • 8.1.0 Microsoft 365 OAuth2, improvements and fixes
      • Up to 8.0.6
Powered by GitBook
On this page

Was this helpful?

  1. Misc
  2. Security Advisories

Email This Issue Security Advisory 2020-02-18

PreviousSecurity AdvisoriesNextDatabase Tables

Last updated 3 years ago

Was this helpful?

Security Advisory for incident SA20201.

Summary

Advisory Release Date

2020-02-18

Affected versions

All versions before 8.0.1

Fixed version

8.0.1

About the vulnerability

The has been discovered affecting the and its items in all versions of the app. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicious links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.

Below is an exact example with a screenshot:

This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.

Once we became aware of the vulnerability, we considered our options and fixed it immediately.

How to fix the vulnerability

If you are using version 8.0.0 of the application

Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.

If you are using version 7.1.5 of the application

You can safely upgrade to version 8.0.1. 8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.

If you are using an older version of the application

We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.

Workaround

If you are unable to update Email This Issue for Jira to version 8.0.1, please follow the below steps as a temporary workaround:

  1. Navigate to Email This Issue administration’s General Configuration

  2. Select „Hide” in the Email Audit Log’s dropdown menu.

Note that this workaround can be applied to versions 5.3 or higher.

As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated). Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.

FAQ

Q: Am I vulnerable if I use Jira’s internal mail handler? A: No, you are not. You’re only affected if you are using Email This Issue’s mail handler to process incoming emails.

Q: Am I vulnerable if I use my Jira in an intranet? A: Yes, unfortunately, you are. Being affected does not depend on using Jira in an intranet setting but on incoming emails from unreliable sources being processed.

A has been discovered affecting the and its items in all versions of the app. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

The official instructions for updating the application are available on the .

If you have any questions, please raise a referencing „SA-20201” in the summary or send us an email to and include „SA-20201” in the subject.

🌪️
Atlassian support page
support request
support@metainf.atlassian.net
vulnerability
Email audit log
Version history
Download version
vulnerability
Email audit log