The helpers.markdown extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector.

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4