An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.