Valve disclosed on HackerOne: SQL Injection in report_xml.php...
An unvalidated parameter on an partner reporting page (report_xml.php) could be used to read certain SQL data from a single backing database.