Hi Team,
Our IT team has found a security exception issue with the this URL: https://jira.lenovo.com/secure/popups/UserPickerBrowser.jspa
As we noticed, this URL isn’t asking for a login and is exposing the customer content as is (with PII information). Since our JIRA instance is open to public, it is facing a bigger security threat. Please advise on a fix asap.
Log in as an admin, and go to "global permissions" in the administration screens.
Find the line that says "Browse users: anyone" and click delete underneath it.
As you have a system open to the internet and one of your administrators has thought it's ok to use "anyone", I'd strongly recommend that you review all of your permission schemes as well as global permissions, and check that "anyone" is only used for read-only access to the projects you really do want to be totally public.
Dear @Nic Brough -Adaptavist- ,
thank u for ur explanation. If i change this option, it´s no longer possible, that costumer marks me with the @ in commentar field. Is there an other option or did i missed an permission?
Hallo @IT TEAM23
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, that's the whole point of being able to turn it off.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.