Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM Version prior to 4.7.26 and 4.6.33

Fixed Versions: 

CiviCRM Versions 4.7.26 AND 4.6.33

Publication Date: 
Wednesday, November 1, 2017
Description: 

CiviCRM used to output the Search criteria in the description field without any escaping. Given that certain parts of the criteria in a search form can be passed through as URL parameters, there was the possibility of XSS scripting coming in and not being properly escaped when displayed. 

Solutions: 

Update to the latest version of CiviCRM:

  • 4.7.26
  • 4.6.33

or later

Or apply the following patch https://github.com/civicrm/civicrm-core/pull/11001

Credits: 

Sean Madsen of Left Join Labs for Reporting and Fixing the issue

References: