Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L107
$keyword = isset($_GET['keyword']) ? trim($_GET['keyword']) : '';
$model = new HistoryModel();
$pageSize = 10;
$where = '';
if($keyword){
$where = '((`filename` LIKE "%'.$keyword.'%") OR (`url` LIKE "%'.$keyword.'%") OR (`created_at` LIKE "%'.$keyword.'%"))';
}