Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of such f:expandableTextbox form controls.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1764477]
Jenkins is currently(at the time of it's comment) on 2.222.1. Fix required 2.196.
Hence closing this bug.