Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:
Offending code in {{/src/main/webapp/includes/decorators/global-translations.jsp#18}}:
{code:java}
17 <input type=“hidden” title=“ajaxUnauthorised” value=“<ww:text name=”‘common.forms.ajax.unauthorised.alert’“/>”>
18 <input type=“hidden” title=“baseURL” value=“<%=request.getScheme() + “://” +request.getServerName() + ‘:’ + request.getServerPort() + request.getContextPath()%>”>
19 <input type=“hidden” title=“ajaxCommsError” value=“<ww:text name=”‘common.forms.ajax.commserror’“/>”>
{code}