Presto Changeo attributegrid up to 2.0.3 exists to contain a SQL injection vulnerability via the component disable_json.php.
presto-changeo attribute grid