AVE.CMS versions less than 2.09 suffer from a remote blind SQL injection vulnerability in the "module" parameter. This is a proof of concept exploit. This issue is addressed in later versions.
a58ccee98e2766a83b2334654aae4e4bd323c91cb8f725358879fb1018be8100