Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-43960

Shared filters page display username of filter owners for public

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Description:

      Shared filters page shows usernames of filter owners, even for not logged users. This is not desirable since an attacker can utilize the usernames for in a brute force or dictionary attack.

      Steps to reproduce:

      1. As an unauthenticated user, run a search for any term.
      2. The results pages has a "Find Filters" link
      3. Clicking on the "Find Filters" link redirects to a page with an option for "Popular".
      4. Clicking "Popular" lists filters "Shared with all users" and the usernames of authors of those filters.

      Suggestion:

      Hide the owner of the filter when an unauthenticated user tries to search for it. Alternatively, you can consider hiding only the username of the owner and show only its complete name.

            Unassigned Unassigned
            agoncalves Arthur Gonçalves (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: