Gazatem QMail Mailing List Manager 1.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for qmail.mdb.

Multiple SQL injection vulnerabilities in categories.asp in gNews Publisher allow remote attackers to execute arbitrary SQL commands via the (1) catID or (2) editorID parameter.