XSS reported to security@igniterealtime.org list regarding domain on setup page by Rajwinder Singh. A more detailed blog post exists as well.
This is a bit daft to list as a serious security problem. The setup pages are presumed to be a one-off path by a single administrative user - the only person they could be attacking via this XSS is therefore themselves.
In many respects, I'd rather work on securing the setup process rather than faff about with largely pointless "security" issues like this - on the other hand, it's a slam-dunk for cleaning up a CVE, so I'll close it.