As part of @rouault 's WFS 2.0 work he discovered a SQL injection issue specific to WMS-Time and perhaps SOS services. It has to do with PostGIS and time validation. Based on Even's tests for WMS-Time the vulnerability is limited to unintended disclosure of data from the specific table, if specific conditions are met:
Basically you can muck with the where clause but can’t execute secondary commands (e.g. delete …). It may be possible to access unintended data through the map itself (e.g. via a label item) but that seems pretty hard. Again, SOS services have not been examined.
Fix potential SQL Injection with postgis TIME filters (#4834)
WFS-2 specific fixes for postgis time sql injections (#4834,#4815)