Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Publication Date: 
Wednesday, July 18, 2018
Description: 

When generating a list of the custom groups that utilize a particular sub-type, the sub-type was not properly escaped.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting the issue.

Seamus Lee of Australian greens for fixing the issue.

References: 

security/core#13