An issue exists in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter.
s-cms s-cms 1.0