A flaw in SePortal allows attacker to launch SQL injection attack. The vulnerability is due to improper sanitization of input data passed via „goto“ parameter to redirect.php. The data are then used in SQL queries. The vulnerability can be used to manipulate SQL requests via arbitrary code.
The flaw was found in version 2.5. Other versions can be vulnerable also.

Source: Secunia
12.12.2011