Summary
Fisheye and Crucible are prone to cross-site scripting, security- bypass, and information-disclosure vulnerabilities.
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, disclose sensitive information, or bypass certain security restrictions.
Fisheye and Crucible versions prior to 2.4.4 are vulnerable.
Solution
Vendor updates are available. Please see the references for more information.
References
- http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-01-12
- http://www.atlassian.com/software/crucible/
- http://www.atlassian.com/software/fisheye/
- https://www.securityfocus.com/bid/45776
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- OneOrZero AIMS 'index.php' Cross Site Scripting Vulnerability
- Axis Commerce HTML Injection Vulnerability
- Bugzilla 'Install/Filesystem.pm' Information Disclosure Vulnerability
- Kusaba X Multiple Cross Site Scripting Vulnerabilities
- Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross Site Scripting Vulnerability