In some scenarios where an error message incorporates user-supplied text, a malicious input could become part of the response and lead to cross-site scripting.
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace for reporting the issue.
Sean Madsen of Left Join Labs for fixing the issue.
security/core#2
security/core#3