A few steps were a bit unclear to me so I’ve added my notes to the original Bugcrowd report below.

Original report:

Steps to reproduce:

Part 1. Configuration

1. Log in to the victim's instance

2. Open any Jira issue

3. Click ... in the top right corner -> Create external share - this is the victim’s Share

4. On the Security tab enable Protect link with password

5. Copy the url of the share from the top - we just need the UUID, so make sure you are not accessing the page via the attacker ES account (which is needed in Part 2)

Part 2. The vulnerability

1. Log in to the victim's instance

2. Open any Jira issue

3. Click ... in the top right corner -> Create external share - this is the attacker’s Share

4. Copy the url of the share from the top and open it

5. Click My account and log in via Atlassian, click to activate your account - this and the next step are relevant only if you’re not already logged on to the attacker account

6. Open the attacker's share link again

7. In the top right corner expand the Start watching dropdown and click Invite watchers

8. Type the attacker's email (as in the Atlassian account), click Invite and intercept the request to /watchers/invite in Burp Suite

9. Change the shareUuid value in the request body to the victim's share uuid (you can get it from the share link that looks like https://jira.external-share.com/issue/<SHRE_UUID>) and process the request

10. Go to the attacker's email and follow the link to accept the invite

11. After accepting the invite you will be redirected to https://jira.external-share.com/dashboard.html?type=INVITATIONS, where you can see the issue title. Also, the issue changes will send notifications to the attacker's email as mentioned above

Receiving the e-mail is actually optional, you can just go to the attacker’s ES Dashboard → Invitations and see the watch invite there. Once accepted, make any changes to the shared Jira ticket and then you should get an e-mail with the updates.