We have identified and fixed a cross-site scripting (XSS) vulnerability in FishEye's Code Metrics Report plugin. This affects FishEye 2.0.x to 2.3.6 inclusive.
- An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
This issue is reported in our security advisory on this page:
You can read more about XSS attacks at cgisecurity, CERT and other places on the web: