CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
PHP libraries and applications sometimes have vulnerabilities in which an attacker may inappropriately request construction of an object. The patch in this release does not deal with a specific vulnerability. Rather, it is defense in depth -- it removes an escalation vector by which hypothetical vulnerabilities (in CiviCRM or a related PHP library/application) could become more severe.
Upgrade to the latest vesion of CiviCRM
Patrick Figel of Greenpeace for reporting the issue
Tim Otten of CiviCRM Core Team for fixing the issue