Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.