Hi,
Not sure of the proper place for this discussion but hopefully this is the right way. I have also included the tags for bug reporting.
I have found a cross-site scripting vulnerability in the server2server jsp. This page handles the Server to Server settings. The parameter vulnerable to XSS is the domain parameter. To test you can simply add a script tag in to the domain field and use a valid port number. This will get persisted as well as cause a session to be taken/cause unwanted behavior such as an alert. (Example <script> alert('XSS Vulnerability'); </script>.
We can either provide the fix by using the already existing method removeXSSCharacters in StringUtils (I see in most case people use escapeHTMLTags) or use the industry wide standard of the ESAPI jar.
Thanks in Advance!
Scott