J2EEFAST v2.7.0 exists to contain a SQL injection vulnerability via the sql_filter parameter in the authUserList() function.