Security Risk:
Critical
Vulnerability:
Cross Site Scripting
Affected Versions:
- 4.7.13 and earlier
- 4.6.23 and earlier
Fixed Versions:
- 4.7.14
- 4.6.24
Publication Date:
Friday, December 2, 2016
Description:
When displaying entity reference fields, the labels were not properly being escaped.
Solutions:
Update to the latest version of CiviCRM
- 4.6.24
- 4.7.14
If you cannot upgrade apply the following patch https://github.com/civicrm/civicrm-core/pull/9482/files
Credits:
Coleman Watts for raising the issue and providing a fix.
References: