CiviCRM Versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
When processing country, state, province, or county references, some values were not properly validated - which enabled a SQL-injection (SQLI) vulnerability.
Upgrade to the latest version of CiviCRM
Tim Otten of CiviCRM Core Team for reporting the issue.
Seamus Lee of Australian Greens for fixing the issue.