In certain output media, error messages were not properly escaped.
This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM
Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee and Coleman Watts of CiviCRM Core Team for fixing the issue