The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly encoded when output into a javascript context (if one is to enter ' + eval(alert(1) ) + ' as a dark feature then an alert dialogue with the number one in it will be shown on every page) so the impact of this vulnerability includes XSS