SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second part of the full= inner variable.
https://www.artresilia.com/cve-2024-44903-sql-injection-vulnerability-in-horizon-information-portal/