An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
vtiger vtiger crm 7.2.0