Block Class module allows users to add classes to any block through the block’s configuration interface. This release includes a fix for a cross-site scripting (XSS) vulnerability through which JavaScript could be inserted in the class field of a block’s configuration interface.
Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.
Install the latest version:
See also the Block Class page.