Security Risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CIviCRM 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

When determining the installer type that is being used, the variable was not properly validated to ensure that it was ony one of a specific set of installer types.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting the issue

Seamus Lee of Australian Greens for fixin the issue

References: 

security/core#52