NOTE: This bug report is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding bug report.

      Trigger: The reporter of an issue replies to the Satisfaction Survey email.
      Causes: The satisfaction survey is included as a comment to the issue, together with the score links and token.
      Result: Anyone with access to the issue can set the customer's satisfaction score by copy-pasting the desired URL.

      The trigger will only work if the reporter's email account is set to include the previous email in the reply.

      Suggested fix: Filter the email replies included as comments to erase the links matching the structure of a satisfaction link.

      Notes
      Forwarding the notification mail that includes the survey request to another user can also cause that other user to follow the score links, effectively overwriting the previous value.

        1. reply.jpg
          reply.jpg
          203 kB

            [JSDSERVER-3646] Satisfaction survey added as a comment lets anyone set the score

            Marc Dacanay made changes -
            Labels Original: affects-cloud affects-server pm New: affects-cloud affects-server pm ril
            Marc Dacanay made changes -
            Remote Link New: This issue links to "Internal ticket (Web Link)" [ 954887 ]
            SET Analytics Bot made changes -
            Support reference count Original: 3 New: 4
            SET Analytics Bot made changes -
            Support reference count Original: 2 New: 3

            Lars Klein added a comment -

            As the change is done under the name of the reporter that is a security incident for us and should not wait another 6 years for fixing!

            Lars Klein added a comment - As the change is done under the name of the reporter that is a security incident for us and should not wait another 6 years for fixing!
            Owen made changes -
            Workflow Original: JSD Bug Workflow v5 - TEMP [ 2304432 ] New: JAC Bug Workflow v3 [ 3126224 ]
            Status Original: To Do [ 10071 ] New: Gathering Impact [ 12072 ]
            Owen made changes -
            Symptom Severity Original: Minor [ 14432 ] New: Severity 3 - Minor [ 15832 ]
            SET Analytics Bot made changes -
            Support reference count New: 2
            Bartosz Ornatowski made changes -
            Labels Original: affects-cloud affects-server New: affects-cloud affects-server pm
            Katherine Yabut made changes -
            Workflow Original: JSD Bug Workflow v5 [ 2058492 ] New: JSD Bug Workflow v5 - TEMP [ 2304432 ]

              Unassigned Unassigned
              5c52af3a81d4 Ignacio Pulgar
              Affected customers:
              6 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated: