Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM versions 5.10.2 and earlier

Fixed Versions: 

CiviCRM version 5.10.3 and 5.7.4

Publication Date: 
Wednesday, February 20, 2019
Description: 

When Contact entity fields are added to forms, the display name label wasn't properly sanitised.

Solutions: 

Upgrade to the latest CiviCRM Version

Credits: 

Sean Colsen of Left Join Labs for reporting the issues

Seamus Lee of Australian Greens for fixing the issue.

References: 

security/core#9