CVE-2019-11880

CommSy through 8.6.5 has SQL Injection via the cid parameter. This is fixed in 9.2.
Source: NIST
CVE-2019-11880