JIRA contains a number of support related JSPs that have been added over the years. They were mostly for fighting spam and other support related tasks. Unfortunately none of these were ever tested very much and contain a lot of XSS holes. They are: groupnames.jsp indexbrowser.jsp classpath-debug.jsp viewdocument.jsp cleancommentspam.jsp plugin-bundles.jsp
They should all be removed from JIRA unless we make a concentrated effort on integrating the functionality that they provide into the product!