SQL injection vulnerability in edituser.php in Xoops prior to 2.0.15 allows remote malicious users to execute arbitrary SQL commands via the user_avatar parameter.
xoops xoops