Administrators were able to store and have displayed through the description field on a tag cross site scripting code. This would show up when the system tried to display the description as an alt html tag. It has now been changed to properly escape the alt tag
CiviCRM Versions prior to 4.7.26
CiviCRM Versions 4.7.26
Upgrade to the latest version of CiviCRM:
If you cannot upgrade you should apply the following patch
Sean Madsen of Left Join Labs for reporting the issue.
Seamus Lee of Australian Greens for fixing the issue