Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.raleyapps.com/llms.txt

Use this file to discover all available pages before exploring further.

Summary

In May 2022, RaleyApps enrolled in the Bugcrowd security testing program. During testing, two vulnerabilities were identified in Raley Purchase Orders version 1.0.11-AC. Both were resolved in version 1.0.12-AC, released June 30, 2022.

Vulnerabilities Fixed

1. Unauthorized Admin Access

Issue: A JSM customer user was able to access administrative configuration pages that should have been restricted. Root cause: Insufficient authorization checks on the affected page. Fix: Additional permission verification controls were implemented. Customer impact: No confirmed exploitation based on access log review.

2. Missing Authorization on API Endpoints

Issue: Multiple backend REST API endpoints lacked proper authorization verification, allowing unauthorized users to potentially access, modify, or delete:
  • Company data
  • Approval tiers
  • Department-related data
  • Jira configuration settings
Root cause: Incorrect authorization controls on the application backend. Fix: Applied simultaneously with vulnerability #1 in version 1.0.12-AC. Customer impact: No evidence of exploitation in any customer installation.

Action Required

Update to version 1.0.12-AC or later. If you are running an older version, please update through the Atlassian Marketplace.

Questions?

Explore Other RaleyApps

Raley Emails Notifications

Send customized emails and Slack notifications from Jira and JSM.

Raley Intake Forms

Create powerful intake forms directly inside Jira and JSM.

Raley Bookman

Asset booking management inside the JSM portal.

Raley Favorites

Save and quickly access your most important Jira issues.
Browse all RaleyApps on the Atlassian Marketplace →