SQL injection vulnerability in content_css.php in the TinyMCE module for CMS Made Simple 1.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.

PHP remote file inclusion vulnerability in guestbook/gbook.php in Gaestebuch 1.2 allows remote attackers to execute arbitrary PHP code via a URL in the script_pfad parameter.