modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.Referenceshttps://demo.ripstech.com/projects/vtiger_6.5.0https://blog.ripstech.com/2016/vtiger-sql-injection/
