Publicat
2017-07-05 23:00
In the "Recently Viewed" block, the title field of the hyperlink was not properly escaped.
Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions
- 4.7.20 and earlier
- 4.6.28 and earlier
Fixed Versions
- 4.7.21
- 4.6.29
Solutions
Upgrade to the latest CiviCRM version
If you cannot upgrade you should apply the following patch:
Credits
Chris Burgess of Fuzion Aotearoa for reporting the issue
Sean Madsen for fixing the issue
References
https://issues.civicrm.org/jira/browse/CRM-20046