Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Coleman Watts of CiviCRM Core Team for reporting the isssue and fixing the issue.

References: 

security/core!56