Multiple SQL injection vulnerabilities in Marinet CMS allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to galleryphoto.php or (2) gallery.php; or the (3) roomid parameter to room.php or (4) room2.php.