Security Risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017
Description: 

In the "Recently Viewed" block, the title field of the hyperlink was not properly escaped.

Solutions: 

Upgrade to the latest CiviCRM version

If you cannot upgrade you should apply the following patch:

Credits: 

Chris Burgess of Fuzion Aotearoa for reporting the issue

Sean Madsen for fixing the issue