Security: Possible SQLinjection via Pagination parameters
In Class Vtiger_MiniList_Model and all the places where pagination is used, the limits are set by concatenating the values to query.
Example: https://code.vtiger.com/vtiger/vtigercrm/blob/master/modules/Vtiger/models/MiniList.php#L157 https://code.vtiger.com/vtiger/vtigercrm/blob/master/modules/Vtiger/models/MiniList.php#L126 https://code.vtiger.com/vtiger/vtigercrm/blob/master/modules/Vtiger/models/ListView.php#L259
etc..
Concatenation of order by: https://code.vtiger.com/vtiger/vtigercrm/blob/master/modules/Vtiger/models/ListView.php#L240 https://code.vtiger.com/vtiger/vtigercrm/blob/master/modules/Vtiger/models/ListView.php#L244