When processing country, state, province, or county references, some values were not properly validated - which enabled a SQL-injection (SQLI) vulnerability.
CiviCRM Versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
Upgrade to the latest version of CiviCRM
Tim Otten of CiviCRM Core Team for reporting the issue.
Seamus Lee of Australian Greens for fixing the issue.