Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Publication Date: 
Wednesday, July 18, 2018
Description: 

In the contact dedupe screen, data retrieved about the contacts was not properly sanitised.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting the issue.

Eileen McNaugton of Wikimedia Foundation for fixing the issue.

References: 

security/core#6