Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390