When creating premium product in CiviCRM, the output of the product name was not properly being escaped as the alternate text when an image was being used for the product. This had the potential on contribution pages to expose credit card information.
CiviCRM versions prior to 4.7.26 and 4.6.33
CiviCRM version 4.7.26 and 4.6.33
Upgrade to the latest CiviCRM Version
If you cannot upgrade you should apply the following patch
Sean Madsen of Left Join Labs for reporting the issue.
Seamus Lee of Australian Greens for fixing the issue.