Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240
The administrative linker functionality in Atlassian Fisheye before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...
