Published
2019-02-20 09:00
When Contact entity fields are added to forms, the display name label wasn't properly sanitised.
Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM versions 5.10.2 and earlier
Fixed Versions
CiviCRM version 5.10.3 and 5.7.4
Solutions
Upgrade to the latest CiviCRM Version
Credits
Sean Colsen of Left Join Labs for reporting the issues
Seamus Lee of Australian Greens for fixing the issue.
References
security/core#9