CommSy through 8.6.5 has SQL Injection via the cid parameter. This is fixed in 9.2.Referenceshttps://www.commsy.nethttp://packetstormsecurity.com/files/152910/CommSy-8.6.5-SQL-Injection.html
