Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Publication Date: 
Wednesday, July 18, 2018
Description: 

When retrieving cases via AJAX, some parameters were not properly validated. This allowed for SQL injection.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting the issue.

Coleman Watts of CiviCRM Core Team for fixing the issue. 

References: 

security/core#12