Melody

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `$ GET['id']` variable in the dapur/apps/app comment/controller/comment status.php file. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the comment status.php file until a patch is available. As a temporary workaround, avoid using the `id` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `$ GET['id']` variable in the `/dapur/apps/app article/controller/comment status.php` endpoint. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the `comment status.php` file until a patch is available. As a temporary workaround, avoid using the `id` variable in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection in a specific PHP file, allowing potential exploitation via several parameters. The vulnerable parameters include `comment`, `name`, `web`, `email`, `status`, `id` from `$ POST`, and `id` from `$ REQUEST`. **Recommendations** For Fiyo CMS version 2.0.7, consider validating and sanitizing user input for the `comment`, `name`, `web`, `email`, `status`, and `id` parameters to prevent SQL injection attacks. As a temporary workaround, restrict access to the dapur/apps/app comment/sys comment.php file until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection in a specific PHP file, sys article.php, located in the dapur/apps/app article directory. This SQL injection is possible via several POST parameters: `parent id`, `desc`, `keys`, and `level`. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the vulnerable sys article.php file until a patch is available. As a temporary workaround, avoid using the parameters `parent id`, `desc`, `keys`, and `level` in the affected POST requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `name` parameter in the /apps/app comment/controller/insert.php API endpoint. **Recommendations** For Fiyo CMS version 2.0.7, avoid using the `name` parameter in the /apps/app comment/controller/insert.php endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `id` variable in the `/dapur/apps/app article/controller/article status.php` endpoint. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the `article status.php` controller to minimize the risk of exploitation. Avoid using the `id` variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection in the `article list.php` file, specifically via the `$ GET` parameters `cat`, `user`, `level`, and `iSortCol '.$i. This allows for potential exploitation. **Recommendations** For Fiyo CMS version 2.0.7, consider validating and sanitizing the `$ GET` parameters `cat`, `user`, `level`, and `iSortCol '.$i to prevent SQL injection attacks. As a temporary workaround, restrict access to the `article list.php` file until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `/apps/app article/controller/editor.php` endpoint using the `$ POST['id']` and `$ POST['art title']` variables. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the `/apps/app article/controller/editor.php` endpoint until a patch is available. As a temporary workaround, avoid using the `$ POST['id']` and `$ POST['art title']` variables in this endpoint to minimize the risk of exploitation.