It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.
This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.
- 4.7.13 and earlier
- 4.6.23 and earlier
Mathieu Lutfy for reporting and providing the fix.