Exactly as the title puts it, cross-site scripting through content injected from the X-Forwarded-Host header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user’s requests.