Up to v4.7.4 and v4.6.15
v4.7.5+ and v4.6.16+
This release addresses an issue where it was possible to deliver a cross-site scripting attack through the CiviCRM backend.
To exploit this vulnerability, both the attacker and victim need permission to access the CiviCRM backend, and the victim must visit a specific screen.
For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.
Any ONE of the following solutions should provide protection:
- Upgrade to v4.7.5+ or v4.6.16+
- Backport https://github.com/civicrm/civicrm-core/pull/7989
- Mattias Michaux
- Chris Burgess (Fuzion)