SQL injection vulnerability in xNews.php in xNews 1.3 allows remote malicious users to execute arbitrary SQL commands via the id parameter in a shownews action.
x-dev xnews 1.3