An issue exists in Znuny LTS 6.5.1 up to and including 6.5.7 and Znuny 7.0.1 up to and including 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request.