Most CiviCRM pages are generated with the HTML_QuickForm library. HTML_QuickForm has a vulnerability which enables a remote attacker to execute arbitrary PHP code. This is fixed in the latest version of CiviCRM.
CiviCRM versions 5.3.0 and 4.6.37 (and earlier)
CiviCRM version 5.3.1 and 4.6.38 (and later)
Upgrade to the latest version of CiviCRM.
Patrick Figel of Greenpeace for reporting the issue.
Eileen McNaugton of Wikimedia Foundation, Elliott Eggleston of Wikimedia Foundation, Monish Deb of JMA Consulting and Coleman Watts of the CiviCRM Core Team for fixing the issue.
Lab Issue reference: security/core#5