SQL injection vulnerability in incident_attachments.php in Support Incident Tracker (aka SiT!) 3.65 allows remote attackers to execute arbitrary SQL commands via an uploaded file with a crafted file name.
https://exchange.xforce.ibmcloud.com/vulnerabilities/71235
http://www.kb.cert.org/vuls/id/576355