Security Risk: 
Moderately Critical
Cross Site Scripting
Affected Versions: 

CiviCRM versions prior to 4.7.26 and 4.6.33

Fixed Versions: 

CiviCRM version 4.7.26 and 4.6.33

Publication Date: 
Wednesday, November 1, 2017

When creating premium product in CiviCRM, the output of the product name was not properly being escaped as the alternate text when an image was being used for the product. This had the potential on contribution pages to expose credit card information. 


Upgrade to the latest CiviCRM Version

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch



Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.