SQL injection exists in front/devicesoundcard.php in GLPI prior to 9.1.5 via the start parameter.
glpi-project glpi