A flaw was found in Jenkins weekly and LTS, which are vulnerable to cross-site scripting caused by improper validation of user-supplied input by the caption constructor parameter of ExpandableDetailsNote. This issue could allow a remote, authenticated attacker to inject malicious script into a Web page, which would be executed in a victim’s Web browser in the hosting Web site, and then steal the victim’s cookie-based authentication credentials.