Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:
- Tamper with a GET request to http://<JIRA instance>/includes/decorators/global-translations.jsp with the Host header set to some XSS payload (e.g.
- The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")
Offending code in /src/main/webapp/includes/decorators/global-translations.jsp#18: