Only the Drupal implementation of the following versions are affected:
- 4.7.20 and earlier
- 4.6.28 and earlier
Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.
Upgrade to the latest version of CiviCRM
If you cannot upgrade then you should apply the following patch
John Kingsnorth of Cambridge University for reporting the issue
Dave Jenkins of Circle Interactive for fixing the issue