Hi,
There is a sql injection in Xoops 2.0.14 (and maybe before versions) .
One of the user inputs, is used in the sql query without proper checking :

File /edituser.php, Line 347 :
:: if (!empty($_POST['user_avatar'])) {
>> $user_avatar = trim($_POST['user_avatar']);
:: $criteri...

[ more ]