Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.
CiviCRM version 5.64.3 and earlier
CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)
Upgrade to the fixed version of CiviCRM
Coleman Watts of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
Rich Lott of Artful Robot.
Tim Otten of CiviCRM
security/core#124