CIS Manager 'TroncoID' Parameter SQL Injection Vulnerability

Summary
The host is installed with CIS Manager and is prone to sql injection vulnerability.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML or script code and manipulate SQL queries in the backend database allowing for the manipulation or disclosure of arbitrary data. Impact Level: Application
Solution
No solution or patch is available as of 30th January, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://www.construtiva.com.br/portal/site/default.asp
Insight
Input passed via the 'TroncoID' GET parameter to default.asp is not properly sanitised before being used in a sql query.
Affected
CIS Manager CMS
Detection
Send a crafted data via HTTP GET request and check whether it is able execute sql query or not.
References