When none of the default methods of determining the request URI have succeeded, the framework will fallback to parsing the raw request URI as passed by the webserver. If this URI has a query string, it will be parsed and $_GET will be updated. In this process, the $_GET variables are not cleaned, making it possible to inject malicious data.
All released versions are affected. This will been addressed in the 1.7.1 codebase, and can be fixed in earlier versions by applying this change