Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

When preparing the query for finding events for the Manage Events page, the event type parameter was not properly escaped.

Solutions: 

Upgrade to latest CiviCRM

Credits: 

Allen Shaw of Joinery for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#51