SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages.