userinfo.php in XOOPS 1.0 RC1 allows remote malicious users to obtain sensitive information via a SQL injection attack in the "uid" parameter.
xoops xoops 1.0_rc1