SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote malicious user to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.