We are having a XSS vulnerability issue with prod/non prod hudson boxes. We tried installing a few plugins like pegdown but the Vulnerability still seems to be there in scans.

The user can hit Hudsonurl//computer/(master)/ without any credentials.The vulerbailty is seen in /computer/(master)/loadStatistics/graph
We had given read acccess for anonymous in global settings, but if we remove that the users will no be able to see the dashboards.

Any help would be highly appreciated.