Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM Versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

When processing country, state, province, or county references, some values were not properly validated - which enabled a SQL-injection (SQLI) vulnerability.

 

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Tim Otten of CiviCRM Core Team for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.

References: 

security/core#49