A third party scan found that the ConvertIssue.jspa action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users.

How to reproduce:
1. go to http://$jira/$contextPath/secure/ConvertIssue.jspa?id=1)%20Please%20login%20again%20at%20https://attacker.com%20
2. observe that the id parameter value is found html encoded below in the error message.