Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Jamie McClelland of Progressive Technology Project for reporting and fixing the issue

References: 

security/core#44