Whoops : error.asp page allows for user-supplied input

Issue Summary

• Any anonymous user is able to craft and supply a query string to the Whoops (error.asp) page
• The error.asp page seems to ingest & process any payload sent (given the string is shown in the Whoops screen)

Steps to Reproduce

1. As an anonymous user, craft a query string like the example below:
   https://<instance>.jiraalign.com/error?d=<user-supplied input>
2. By using Mozilla, browse to that URL

• Notice the Whoops error message is displayed, containing the user-supplied string

  

Expected Results

Customer's Expected Behavior

• Anonymous users should not be able to parse/inject any payload via any ASP page
• Logged-in users should not be able to parse/inject any payload via https://<instance>.jiraalign.com/error?d=<user-supplied input>

Actual Results

• The user-supplied content is displayed in the Whoops page body:

  

Workaround

• Currently there is no known workaround for this behavior. A workaround will be added here when available