Cross-site scripting in fisheye - CVE-2011-4822
Published: December 15, 2011 / Updated: August 11, 2020
fisheye
Detailed vulnerability description
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the user profile feature in Atlassian FishEye before 2.5.5 when processing (1) snippets in a user comment, which is not properly handled in a Confluence page, or (2) the user profile display name, which is not properly handled in a FishEye page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
How to mitigate CVE-2011-4822
Sources
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-11-22
- http://osvdb.org/77263
- http://osvdb.org/77264
- http://secunia.com/advisories/46975
- http://www.securityfocus.com/bid/50762
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71426
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71427
- https://jira.atlassian.com/browse/FE-3797
- https://jira.atlassian.com/browse/FE-3798