CVE-2016-10754

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
Source: NIST
CVE-2016-10754