When generating a report, users are able to pass filters in the URL. Some filters in contribution reports were not properly escaped. Additionally, on systems that enabled developer output for reports, the developer outputs were not properly escaped.
Extended Reports Extension:
For those CiviCRM users that use the extended reports extension, the CiviCRM Security Team advise that you should upgrade to the latest version of the extended report extension if possible. The extension from version 2.6 onwards will only with CiviCRM versions 4.7+. For of versions before 4.7, the CiviCRM Security Team advises that users should uninstall the extension on their systems.
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
Update to the latest version of CiviCRM
If you cannot upgrade then apply the following patch:
https://gist.github.com/seamuslee001/fca5d9f13dc81e050bb2908fc85bbbec
security/core#1