CVE-2018-13391
MEDIUMAtlassian Jira < 7.6.8, 7.7.0-7.7.4, 7.8.0-7.8.4, 7.9.0-7.9.2, 7.10.0-7.10.2, 7.11.0-7.11.1 - Email Address Exposure
Title source: llmDescription
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105165
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/JRASERVER-67750
Scores
CVSS v3
5.3
EPSS
0.0015
EPSS Percentile
35.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
atlassian/jira
< 7.6.8
atlassian/jira_server
7.7.0 - 7.7.5
Published
Aug 28, 2018
Tracked Since
Feb 18, 2026