This update fixes a security issue related to cross site scripting (XSS) in the ezstarrating extension.
If id of attribute provided to ezsrServerFunctions::rate() contained a script and the other parameters did not validate, then the injected script would be outputted as is to client, potentially causing the script to be executed depending on the client treating the output as json (normally safe) or javascript (not safe).
Patch:
https://github.com/ezsystems/ezstarrating/commit/92442b48d37f3cf72d9ffc4e3be1dbc438769b48
A Security Update with the reference EZPSA-2011-003 is available for eZ Publish Enterprise customers.