Speck CMS suffers from multiple remote SQL injection vulnerabilities. The latest framework as of 05/02/2013 is affected.
af0c4fd03471abd25cd0417d9aac71d0df6693743f31e36f97bba17515c094f7
Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com
Target Software: Speck CMS Framework, Latest
Vendor URL: http://www.speckcms.org/
Multiple SQL Injection Vulnerabilities
Examples:
portal/user.cfm:
<cfquery name="qUser" datasource="#request.speck.codb#">
SELECT * FROM spUsers WHERE username = '#url.username#'
</cfquery>
portal/group.cfm:
<cfquery name="qGroup" datasource="#request.speck.codb#">
SELECT * FROM spGroups WHERE groupname = '#url.groupname#'
</cfquery>
Many more exist in this CMS framework. Exploitation will depend on the use
of these files within the user's CMS.