Security Risk:
Critical
Vulnerability:
SQL Injection
Affected Versions:
CiviCRM versions 5.13.0 and earlier
Fixed Versions:
CiviCRM version 5.13.4 and 5.7.6
Publication Date:
Wednesday, May 15, 2019
Description:
In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.
Solutions:
Upgrade to the latest version of CiviCRM
Credits:
Coleman Watts of CiviCRM Core Team for reporting the isssue and fixing the issue.
References:
security/core!56