The confluence-rest-plugin has a rest resource to look up "non-system" users which takes in a username. If given username supplied is not found then it is included in an xml error message without being xml encoded and thus is a XSS vector. That is, < > and other such xml special characters are not encoded.

However, I am unable to exploit the issue as if a "/" is found anywhere in the the "username" portion of the url then the resource is not mapped (the url no longer is mapped to the non-system user rest resource).