Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
Only older releases of Jenkins are affected by this vulnerability. Jenkins 2.275 and newer, LTS 2.263.2 and newer include a protection preventing this from being exploitable.
Jenkins Kiuwan Plugin 1.6.1 escapes affected parts of the error message in the form validation endpoint.