When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
CiviCRM version 5.24.2 and earlier
CiviCRM version 5.24.3 and 5.21.3
Upgrade to the latest version of CiviCRM
Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for resolving the issue