We have identified and fixed a cross-site scripting (XSS) vulnerability in FishEye's revision ID parameters on annotated views. This affects FishEye 2.3.0 to 2.3.6 inclusive.
- An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
This issue is reported in our security advisory on this page:
You can read more about XSS attacks at cgisecurity, CERT and other places on the web: