Summary
Fisheye and Crucible are prone to cross-site scripting, security- bypass, and information-disclosure vulnerabilities.
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, disclose sensitive information, or bypass certain security restrictions.
Fisheye and Crucible versions prior to 2.4.4 are vulnerable.
Solution
Vendor updates are available. Please see the references for more information.
References
- http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://www.atlassian.com/software/crucible/
- http://www.atlassian.com/software/fisheye/
- https://www.securityfocus.com/bid/45776
Updated on 2015-03-25