Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-3646

Satisfaction survey added as a comment lets anyone set the score

XMLWordPrintable

      NOTE: This bug report is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding bug report.

      Trigger: The reporter of an issue replies to the Satisfaction Survey email.
      Causes: The satisfaction survey is included as a comment to the issue, together with the score links and token.
      Result: Anyone with access to the issue can set the customer's satisfaction score by copy-pasting the desired URL.

      The trigger will only work if the reporter's email account is set to include the previous email in the reply.

      Suggested fix: Filter the email replies included as comments to erase the links matching the structure of a satisfaction link.

      Notes
      Forwarding the notification mail that includes the survey request to another user can also cause that other user to follow the score links, effectively overwriting the previous value.

        1. reply.jpg
          reply.jpg
          203 kB

            [JSDSERVER-3646] Satisfaction survey added as a comment lets anyone set the score

            Lars Klein added a comment -

            As the change is done under the name of the reporter that is a security incident for us and should not wait another 6 years for fixing!

            Lars Klein added a comment - As the change is done under the name of the reporter that is a security incident for us and should not wait another 6 years for fixing!

            Ignacio Pulgar added a comment -

            Hi Nidhi,

            I'm not sure if the following workaround is acceptable while Atlassian fixes this issue:

            1. Enter the JSD email settings: https://<YOURS>.atlassian.net/secure/admin/SDMailInfo.jspa
            2. Select the 'Strip quotes' radio button.

            Note that, on doing so, the previous responses will not be attached to the issue.

            However, it is still possible that the satisfaction survey links are attached and sent by email to other people whom the legitimate user might be answerring to.

            Ignacio Pulgar added a comment - Hi Nidhi, I'm not sure if the following workaround is acceptable while Atlassian fixes this issue: Enter the JSD email settings: https://<YOURS>.atlassian.net/secure/admin/SDMailInfo.jspa Select the 'Strip quotes' radio button. Note that, on doing so, the previous responses will not be attached to the issue. However, it is still possible that the satisfaction survey links are attached and sent by email to other people whom the legitimate user might be answerring to.

            Nidhi Sharma added a comment -

            Hello JSD team,

            Kindly let us know, by when we can expect fix of this?

            Nidhi Sharma added a comment - Hello JSD team, Kindly let us know, by when we can expect fix of this?

            Nidhi Sharma added a comment -

            I am facing same issue. Looking forward to get this fixed ASAP.

            Nidhi Sharma added a comment - I am facing same issue. Looking forward to get this fixed ASAP.

              Unassigned Unassigned
              5c52af3a81d4 Ignacio Pulgar
              Affected customers:
              6 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated: