Security Risk: 
Highly Critical
Vulnerability: 
Arbitrary PHP Code Execution
Affected Versions: 

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions: 

CiviCRM version 5.3.1 and 4.6.38 (and later)

Publication Date: 
Thursday, July 19, 2018
Description: 

Most CiviCRM pages are generated with the HTML_QuickForm library. HTML_QuickForm has a vulnerability which enables a remote attacker to execute arbitrary PHP code. This is fixed in the latest version of CiviCRM.

Solutions: 

Upgrade to the latest version of CiviCRM. 

Credits: 

Patrick Figel of Greenpeace for reporting the issue.

Eileen McNaugton of Wikimedia Foundation, Elliott Eggleston of Wikimedia Foundation, Monish Deb of JMA Consulting and Coleman Watts of the CiviCRM Core Team for fixing the issue. 

References: 

Lab Issue reference: security/core#5

CVE: 
CVE-2018-1999022