CVE-2009-2010

Name of the Vulnerable Software and Affected Versions: Haudenschilt Family Connections CMS (FCMS) versions 1.9 and earlier

Description: The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including the thread parameter to "messageboard.php", the member parameter to "profile.php", the pid parameter to "gallery/index.php", and the fcms login id cookie parameter.

Recommendations: For Haudenschilt Family Connections CMS (FCMS) versions 1.9 and earlier, consider restricting access to the affected API endpoints, such as "messageboard.php", "profile.php", and "gallery/index.php", until a patch is available. As a temporary workaround, avoid using the thread, member, and pid parameters in their respective endpoints, and restrict the use of the fcms login id cookie parameter.