An issue exists in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field.
s-cms s-cms 3.0