Security Risk:
Critical
Vulnerability:
SQL Injection
Affected Versions:
CiviCRM versions 5.13.0 and earlier
Fixed Versions:
CiviCRM version 5.13.4 and 5.7.6
Publication Date:
Wednesday, May 15, 2019
Description:
When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.
Solutions:
Upgrade to the latest version of CiviCRM
Credits:
Jamie McClelland of Progressive Technology Project for reporting and fixing the issue
References:
security/core#44