Security Risk: 
Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

PHP libraries and applications sometimes have vulnerabilities in which an attacker may inappropriately request construction of an object. The patch in this release does not deal with a specific vulnerability. Rather, it is defense in depth -- it removes an escalation vector by which hypothetical vulnerabilities (in CiviCRM or a related PHP library/application) could become more severe.

Solutions: 

Upgrade to the latest vesion of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting the issue

Tim Otten of CiviCRM Core Team for fixing the issue

References: 

security/core#46