SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.
http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/2009