XSS in organisationId in /secure/admin/UpdateBitbucketCredentials.jspa
OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link. noformat GET...