The vulnerability manifests in two components:

1. In DC_Table.php's searchMenu method, pre-patch code accepted unfiltered user input for database field names (tl_field), enabling SQL injection via crafted WHERE clauses. The fix added strict in_array validation.
2. In ModuleListing.php's compile method, user-controlled 'order_by' and 'sort' parameters were directly interpolated into ORDER BY clauses without validation. The patch introduced allow-list validation for these parameters. Both functions lacked input sanitization for SQL operator injection, matching the CWE-89 pattern of improper SQL special element neutralization.