SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an malicious user to execute arbitrary code via the groupid parameter.