Fisheye and Crucible are prone to cross-site scripting, security- bypass, and information-disclosure vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, disclose sensitive information, or bypass certain security restrictions. Fisheye and Crucible versions prior to 2.4.4 are vulnerable.

Vendor updates are available. Please see the references for more information.

• http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2011-01-12
• http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-01-12
• http://www.atlassian.com/software/crucible/
• http://www.atlassian.com/software/fisheye/
• https://www.securityfocus.com/bid/45776

---

Updated on 2015-03-25