When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.
CiviCRM version 5.24.2 and earlier
CiviCRM version 5.24.3 and 5.21.3
Upgrade to the latest version of CiviCRM
Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for fixing the issue