Summary
Fisheye and Crucible are prone to cross-site scripting, security- bypass, and information-disclosure vulnerabilities.
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, disclose sensitive information, or bypass certain security restrictions.
Fisheye and Crucible versions prior to 2.4.4 are vulnerable.
Solution
Vendor updates are available. Please see the references for more information.
References
- http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://www.atlassian.com/software/crucible/
- http://www.atlassian.com/software/fisheye/
- https://www.securityfocus.com/bid/45776
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- IBM WebSphere Application Server SIP Logging Information Disclosure Vulnerability
- Kusaba X Multiple Cross Site Scripting Vulnerabilities
- NetSaro Enterprise Messenger Cross Site Scripting and HTML Injection Vulnerabilities
- Sambar sendmail /session/sendmail
- netjukebox 'skin' Parameter Cross Site Scripting Vulnerability