In Jenkins, the build timeline widget shown on URLs like /view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names. External Reference: https://jenkins.io/security/advisory/2018-07-18/#SECURITY-944
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1609621]