A flaw was found in the Jenkins package. Jenkins does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to control tooltips for this component.