In the contact dedupe screen, data retrieved about the contacts was not properly sanitised.
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace for reporting the issue.
Eileen McNaugton of Wikimedia Foundation for fixing the issue.
security/core#6