We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crucible changeset comments in search results.

Affected versions are Crucible 2.3.0 to 2.5.0 inclusive.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attacks at various places on the web, including these:

• cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
• The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on these pages:

• https://confluence.atlassian.com/x/_QbSEQ
• https://confluence.atlassian.com/x/hAjSEQ