Vendor
A SQL injection vulnerability exists in ezpublish-legacy, specifically in the dfscleanup.php script and the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class, allowing an attacker with local shell access to potentially expose sensitive data such as user credentials.