Veröffentlicht
2018-07-18 09:00
In the contact dedupe screen, data retrieved about the contacts was not properly sanitised.
Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
Fixed Versions
CiviCRM version 5.3.1 and 4.6.38 (and later)
Solutions
Upgrade to the latest version of CiviCRM
Credits
Patrick Figel of Greenpeace for reporting the issue.
Eileen McNaugton of Wikimedia Foundation for fixing the issue.
References
security/core#6