CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
In some scenarios where an error message incorporates user-supplied text, a malicious input could become part of the response and lead to cross-site scripting.
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace for reporting the issue.
Sean Madsen of Left Join Labs for fixing the issue.