CVE-2009-3118

Name of the Vulnerable Software and Affected Versions: Danneo CMS versions 0.5.2 and earlier

Description: The issue is related to a SQL injection vulnerability. It allows remote attackers to execute arbitrary SQL commands via the comtext parameter, in conjunction with crafted comname and comtitle parameters, in a poll action to "index.php". This is due to incorrect input sanitization in "base/danneo.function.php".

Recommendations: For Danneo CMS versions 0.5.2 and earlier, as a temporary workaround, consider restricting access to the vote module in "mod/poll/comment.php" until a patch is available. Avoid using the comtext, comname, and comtitle parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.