Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM Versions 5.10.2 and earlier

Fixed Versions: 

CiviCRM versions 5.10.3 and 5.7.4

Publication Date: 
Wednesday, February 20, 2019
Description: 

When populating the "PrevNext" cache, some values were not properly escaped - which enabled a SQL-injection (SQLI) vulnerability.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Tim Otten of CiviCRM for reporting the issue

Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue

References: 

security/core#25