Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-43960

Shared filters page display username of filter owners for public

XMLWordPrintable

    • 1
    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Description:

      Shared filters page shows usernames of filter owners, even for not logged users. This is not desirable since an attacker can utilize the usernames for in a brute force or dictionary attack.

      Steps to reproduce:

      1. As an unauthenticated user, run a search for any term.
      2. The results pages has a "Find Filters" link
      3. Clicking on the "Find Filters" link redirects to a page with an option for "Popular".
      4. Clicking "Popular" lists filters "Shared with all users" and the usernames of authors of those filters.

      Suggestion:

      Hide the owner of the filter when an unauthenticated user tries to search for it. Alternatively, you can consider hiding only the username of the owner and show only its complete name.

              drauf Daniel Rauf
              agoncalves Arthur Gonçalves (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: