BuddyPress 2.3.3 is available and users are encouraged to update as soon as possible. A few security vulnerabilities were discovered in BuddyPress Messages, a core component that allows users to send and receive private messages.
A vulnerability was responsibly disclosed to the BuddyPress team that could allow members to manipulate a failed private outbound message and inject unexpected output to the browser. The vulnerability was reported by Krzysztof Katowicz-Kowalewski.
In addition to the first vulnerability, the BuddyPress core development team independently discovered and fixed related vulnerabilities with the messages component that could allow for carefully crafted private message content to be rendered incorrectly to the browser.
BuddyPress 2.3.3 also fixes a couple of bugs in the 2.3 codebase and improves support for backend changes made in WordPress 4.3. To protect your sites from these vulnerabilities, you should perform a full backup and update BuddyPress as soon as possible.
Totally off-topic, but the reporter has a really nice name, Krzysztof Katowicz-Kowalewski!