XSS in /includes/decorators/global-translations.jsp

{panel:bgColor=#e7f4fa}
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61888].
{panel}

Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

• Tamper with a GET request to {{http://<JIRA instance>/includes/decorators/global-translations.jsp}} with the {{Host}} header set to some XSS payload (e.g. {code}<script>alert(/xss/)</script>{code}
• The offending lines in code pick this payload and browser renders it (observe an alert with text “xss”)

Offending code in {{/src/main/webapp/includes/decorators/global-translations.jsp#18}}:

{code:java}
17 <input type=“hidden” title=“ajaxUnauthorised” value=“<ww:text name=”‘common.forms.ajax.unauthorised.alert’“/>”>
18 <input type=“hidden” title=“baseURL” value=“<%=request.getScheme() + “://” +request.getServerName() + ‘:’ + request.getServerPort() + request.getContextPath()%>”>
19 <input type=“hidden” title=“ajaxCommsError” value=“<ww:text name=”‘common.forms.ajax.commserror’“/>”>
{code}