Stored XSS vulnerability in Jenkins Active Choices Plugin

Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Active Choices Plugin 2.5.7 escapes references to parameter names.