When retrieving cases via AJAX, some parameters were not properly validated. This allowed for SQL injection.
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace for reporting the issue.
Coleman Watts of CiviCRM Core Team for fixing the issue.