SQL Injection exists in the JomEstate PRO up to and including 3.7 component for Joomla! via the id parameter in a task=detailed action.
comdev jomestate pro