SQL injection vulnerability exists in BS-Client ver. 3.* (server component) . Vulnerability arises if someone, who has enough permissions to edit or add new roles of users, is trying to remove role with specially created role’s name. It can be used, e.g., to perform user’s privileges escalation.