The "Send test email" and "Universal Plugin Manager" pages, available for Fisheye administrators only, were vulnerable to Self-XSS.

Cross-Site Scripting (XSS) vulnerabilities are when user-controlled data in interpreted as code within the application. This can allow an attacker to inject JavaScript code that runs within the context of another user. Self-XSS is when the XSS vulnerability cannot be used to target other application users. This poses minimal risk but could be used in combination with an CSRF to cause the victim to trigger the XSS vulnerability.