When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version
Sean Colesen of Left Join Labs and Patrick Figel of Greenpeace CCE for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue