Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
SQL Injection
Affected Versions: 

4.5 - 4.6.8

Fixed Versions: 

4.6.9

Publication Date: 
Sunday, September 27, 2015
Description: 

There was a bug in one of CiviCRM's internal type checks which may allow inappropriate user input to be saved to the database and/or displayed.

This was a general weakness in one of CiviCRM's security layers; no specific exploits of this have been identified. This type of vulnerability could potentially allow attackers to save malicious content to the database or display it to site users.

Solutions: 

If you are using CiviCRM 4.5+, upgrade to the latest version.

Note that this bug did not affect the 4.4 LTS series.

Credits: 

Coleman Watts of the CiviCRM core team