XSS vulnerability in Backbone Issue Sync admin interface (2019-10-02)
Description
Summary
This advisory discloses security issues of high severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync for Jira Cloud, version 3.0.33-AC and older versions
Backbone Issue Sync for Jira Server, version 4.0.3 and older versions
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira is affected by an XSS vulnerability where someone can put malicious code into certain configuration settings that is executed when a user visits the configuration. This can be used for example, but is not limited to:
Execute HTTP requests on the behalf of a user
Any user who can open the Backbone admin configuration page is affected.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on Atlassian Marketplace
Informed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
A Jira administrator might need to upgrade Backbone Issue Sync to these (or later) versions:
Backbone Issue Sync for Jira Cloud, version 3.0.34-AC or newer
Backbone Issue Sync for Jira Server, version 4.1.0 or newer
Backbone Issue Sync for Jira Cloud* will usually be updated automatically in your Jira Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the *Manage Apps/Add-ons section is 3.0.34-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Jira Cloud instance.
Backbone Issue Sync for Jira Server needs to be updated within the Manage Apps/Add-ons section of your Jira Server. You can either do this by clicking on Update for Backbone Issue Sync or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Jira Server.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.
Summary
This advisory discloses security issues of high severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync for Jira Cloud, version 3.0.33-AC and older versions
Backbone Issue Sync for Jira Server, version 4.0.3 and older versions
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira is affected by an XSS vulnerability where someone can put malicious code into certain configuration settings that is executed when a user visits the configuration. This can be used for example, but is not limited to:
Execute HTTP requests on the behalf of a user
Any user who can open the Backbone admin configuration page is affected.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on Atlassian Marketplace
Informed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
A Jira administrator might need to upgrade Backbone Issue Sync to these (or later) versions:
Backbone Issue Sync for Jira Cloud, version 3.0.34-AC or newer
Backbone Issue Sync for Jira Server, version 4.1.0 or newer
Backbone Issue Sync for Jira Cloud* will usually be updated automatically in your Jira Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the *Manage Apps/Add-ons section is 3.0.34-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Jira Cloud instance.
Backbone Issue Sync for Jira Server needs to be updated within the Manage Apps/Add-ons section of your Jira Server. You can either do this by clicking on Update for Backbone Issue Sync or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Jira Server.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.