VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 15, 2011· Updated Apr 29, 2026

CVE-2011-4822

CVE-2011-4822

Description

Multiple cross-site scripting (XSS) vulnerabilities in the user profile feature in Atlassian FishEye before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via (1) snippets in a user comment, which is not properly handled in a Confluence page, or (2) the user profile display name, which is not properly handled in a FishEye page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerabilities in Atlassian FishEye user profile allow arbitrary code injection via display name or snippets, fixed in version 2.5.5.

Vulnerability

Multiple stored cross-site scripting (XSS) vulnerabilities exist in the user profile feature of Atlassian FishEye prior to version 2.5.5. The first vulnerability (FE-3797) allows injection via the user profile display name, while the second (FE-3798) allows injection via snippets in a user's comment. Both are triggered when the injected data is rendered on a FishEye or Confluence page without proper sanitization [1][2][3].

Exploitation

An attacker can submit a crafted payload in the display name field or in a comment snippet. The payload is stored and later executed in the browser of any user viewing the affected page. No authentication is required if the attacker can register or edit their own profile, but the attack is self-XSS unless the attacker can trick another user into viewing the crafted profile or comment [1].

Impact

Successful exploitation allows remote attackers to inject arbitrary HTML or JavaScript, potentially leading to session hijacking, defacement, or theft of sensitive information in the context of the victim's session [1]. The impact is elevated if the instance is publicly accessible [1].

Mitigation

The vulnerabilities are fixed in FishEye version 2.5.5, released November 22, 2011 [1][2][3]. Users should upgrade to 2.5.5 or later. There are no workarounds mentioned in the references; upgrading is the recommended mitigation.

References
  1. FishEye and Crucible Security Advisory 2011-11-22 | Fisheye Server 4.9
  2. Loading...
  3. Loading...

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

57
  • Atlassian/Fisheye57 versions
    cpe:2.3:a:atlassian:fisheye:1.3:*:*:*:*:*:*:*+ 56 more
    • cpe:2.3:a:atlassian:fisheye:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.5.a:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:1.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.3.8:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:atlassian:fisheye:2.5.4:*:*:*:*:*:*:*
    • (no CPE)range: <2.5.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.