Security Risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions: 

CiviCRM Versions 4.7.26 and 4.7.33

Publication Date: 
Wednesday, January 11, 2017
Description: 

In a number of locations within the CiviCRM code base there were potentially un-escaped variables passed into html link attributes such as alt and title​. One such example was in event registration pages where administrators were able to set the button text and also the title attribute to anything they chose. This fixes it by properly escaping the content of those attributes. 

Solutions: 

Either Upgrade to the latest version of CiviCRM

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade apply the following patch

Credits: 

Sean Madsen of Left Join Labs for reporting the issue

Seamus Lee of Australian Greens for fixing the issue. 

References: