Cross site scripting
In Jenkins 2.340 through 2.355 both inclusive the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...