The vulnerability stems from unsafe string concatenation in SQL query construction:

1. The original code used String.format() with raw user inputs like searchTerm and timeWindow in WHERE clauses
2. Parameters were embedded directly into SQL strings without parameterization or proper escaping
3. The patch adds QuoteUtils.escapeSql() to sanitize inputs, confirming these were injection points
4. The CWE-89 classification and commit message explicitly reference SQL injection in this service class
5. Vulnerable patterns match classic SQL injection vectors in JDBC-free string interpolation contexts