We’re aware and I’ll be patching soon; luckily it doesn’t affect us as badly as most because we use the Crowd identity system instead of the native JIRA user system. But the XSS holes do need to be plugged.
Summary, we’re aware, but situation not critical.