In CiviMail, multiple fields and screens could be used as vectors for cross-site scripting.
Exploiting this requires that the attacker have permission to manage CiviMail content.
CiviCRM v6.15.2 and earlier
CiviCRM v6.15.3, v6.10.7 (ESR), and later
Upgrade to a fixed version of CiviCRM
Patrick Figel (Greenpeace Central and Eastern Europe), Lassi (lassitemp@proton.me), Johannes Filter (Medien in Bewegung e. V), Luke Stewart (Fuzion), Seamus Lee (JMA Consulting), Tim Otten (CiviCRM), Benjamin W
