4.7.13 and earlier.
4.6.23 and earlier.
It was identified that CRM_Contact_BAO_Query::apiQuery did not correctly validate contact ID inputs. This could expose contact data via SQL injection.
This is mitigated by permissions restrictions meaning that anonymous users would not typically be able to exploit this vector.
Marc Brazeau for reporting the issue
Tim Otten and Seamus Lee for fixing the issue.