Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

4.7.13 and earlier.

4.6.23 and earlier. 

Fixed Versions: 

4.7.14

4.6.24

Publication Date: 
Saturday, November 19, 2016
Description: 

It was identified that CRM_Contact_BAO_Query::apiQuery did not correctly validate contact ID inputs. This could expose contact data via SQL injection.

This is mitigated by permissions restrictions meaning that anonymous users would not typically be able to exploit this vector.

Solutions: 

Upgrade to the latest version of CiviCRM 4.7.14 or 4.6.24

Apply one of the following patches if you cannot upgrade:

Credits: 

Marc Brazeau for reporting the issue

Tim Otten and Seamus Lee for fixing the issue. 

References: