Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM Versions prior to 4.7.26

Fixed Versions: 

CiviCRM Versions 4.7.26

Publication Date: 
Wednesday, November 1, 2017
Description: 

Administrators were able to store and have displayed through the description field on a tag cross site scripting code. This would show up when the system tried to display the description as an alt html tag. It has now been changed to properly escape the alt tag

Solutions: 

Upgrade to the latest version of CiviCRM:

  • 4.7.26

or later

If you cannot upgrade you should apply the following patch

Credits: 

Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue

References: