The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output.

Known vulnerability points:

• When viewing a user's activity stream on their profile page
• When viewing the site-wide activity stream in the Administrative UI

This vulnerability was introduced when Atlassian ID was integrated with Answers. Previously, local-based user accounts had their usernames scrubbed before saving in the database.