An issue exists in Appnitro MachForm prior to 4.2.3. There is a download.php SQL injection via the q parameter.
machform machform 4.2.3