download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
inoideas inoerp 4.15