JIRA contains a number of support related JSPs that have been added over the years. They were mostly for fighting spam and other support related tasks. Unfortunately none of these were ever tested very much and contain a lot of XSS holes. They are: * groupnames.jsp * indexbrowser.jsp * classpath-debug.jsp * viewdocument.jsp * cleancommentspam.jsp * plugin-bundles.jsp
They should all be removed from JIRA unless we make a concentrated effort on integrating the functionality that they provide into the product!