Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Publication Date: 
Wednesday, July 18, 2018
Description: 

The "context" parameter for a number of screens was not properly validated. In some screens, this was found to enable cross-site scripting attacks. To correct the known vulnerability and to guard against potential others, the validation rules have been tightened across a wide range of screens.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 
Patrick Figel of Greenpeace for reporting the issue.
 
Sean Madsen of Left Join Labs for fixing the issue.
References: 

security/core#14