CVE-2014-9145

Name of the Vulnerable Software and Affected Versions Fiyo CMS version 2.0.1.8

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different PHP files, including the id parameter in an edit action to "dapur/index.php", the cat, user, or level parameters to "dapur/apps/app article/controller/article list.php", or the email parameter in an email action or the username parameter in a user action to "dapur/apps/app user/controller/check user.php".

Recommendations For Fiyo CMS version 2.0.1.8, consider restricting access to the vulnerable parameters id, cat, user, level, email, and username in the specified PHP files until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints.