CVE-2009-3418

Name of the Vulnerable Software and Affected Versions Plume CMS version 1.2.3

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the "m" parameter to "manager/index.php" or by remote authenticated administrators via the "id" parameter in an "edit link" action to "manager/tools.php".

Recommendations For Plume CMS version 1.2.3, consider restricting access to the "manager/index.php" and "manager/tools.php" until a fix is available. As a temporary workaround, avoid using the m parameter and the id parameter in the "edit link" action to minimize the risk of exploitation.