Security Risk: 
Moderately Critical
Vulnerability: 
Open Redirect
Affected Versions: 
  • CiviCRM before v4.6.6
  • CiviCRM LTS before v4.4.18
Fixed Versions: 
  • CiviCRM v4.6.7
  • CiviCRM LTS v4.4.19
Publication Date: 
Thursday, August 20, 2015
Description: 

The contribution page's return URL could be used to redirect site visitors to another URL.

For more information about this type of attack, see OWASP's reference page on open redirects.

Solutions: 
Either:
Credits: 

Thanks to Rob Brandt for reporting this issue.