Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:jenkins:contrast_continuous_application_security:*:*:*:*:*:jenkins:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.10"
}
]
}