SQL injection vulnerability in the Q-Personel (com_qpersonel) component 1.0.2 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the katid parameter in a qpListele action to index.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/57775
http://www.xenuser.org/documents/security/qpersonel_sql.txt