The proxystatistics module prior to 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.
cesnet proxystatistics