WEB-1051Jira leaks reporter and assignee e-mail addresses in data-user HTML attribute
Important This does not only affect Mojira, but instead apparently all Jira installations starting from a specific version, including for example
Therefore please do not disclose this anywhere. And someone please report it to Atlassian. [Mod] md_5 reported it to Atlassian and they created a report on their bug tracker.
The problem
It appears Jira is leaking reporter and assignee e-mail addresses in an HTML attribute called data-user of the respective HTML elements.
It is currently difficult to tell when this behavior started, since web.archive.org is apparently requesting this information live, and archive.is is not saving the attributes.
Unaffected occurrences
The following occurrences of displayed user data are not affected. Not listed ones have not been tested yet.
- project summaries
- comments
- profile pages
Credit
This was originally reported in the tweet https://twitter.com/ARZ418/status/999732544219344896
Ok, i made the bug report, but its private because JIRA still puts the mail address of reporters in the HTML source (pls fix), so idk if you can already see it... If you cant, hmu so i can send you my contact info somewhere less public :) https://bugs.mojang.com/browse/MC-130199 ...
