When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
CiviCRM version 5.24.2 and earlier
CiviCRM version 5.24.3 and 5.21.3
Upgrade to the latest version of CiviCRM
Cure53 and Mozilla Open Source Support (MOSS) for reporting the isssue
Tim Otten (CiviCRM) and Seamus Lee (JMA Consulting/CiviCRM) for resolving the issue