Security Risk: 
Cross Site Scripting
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

Publication Date: 
Wednesday, July 18, 2018

When generating a report, users are able to pass filters in the URL. Some filters in contribution reports were not properly escaped. Additionally, on systems that enabled developer output for reports, the developer outputs were not properly escaped.

Extended Reports Extension:

For those CiviCRM users that use the extended reports extension, the CiviCRM Security Team advise that you should upgrade to the latest version of the extended report extension if possible. The extension from version 2.6 onwards will only with CiviCRM versions 4.7+. For of versions before 4.7, the CiviCRM Security Team advises that users should uninstall the extension on their systems.


Update to the latest version of CiviCRM

If you cannot upgrade then apply the following patch:

Patrick Figel of Greenpeace for reporting the issue.
Eileen McNaugton of Wikimedia Foundation and Sean Madsen of Left Join Labs for fixing the issue.