- CiviCRM before v4.6.6
- CiviCRM LTS before v4.4.18
- CiviCRM v4.6.7
- CiviCRM LTS v4.4.19
The contribution page's return URL could be used to redirect site visitors to another URL.
For more information about this type of attack, see OWASP's reference page on open redirects.
- Upgrade to a fixed release of CiviCRM, or
- Patch with https://github.com/eileenmcnaughton/civicrm-core/commit/6ef7bd91a684e23c...
Thanks to Rob Brandt for reporting this issue.