Asanhamayesh CMS 3.4.6 SQL injection

> [Suggested description]
> SQL injection vulnerability in files.php in the "files" component in
> ASANHAMAYESH CMS 3.4.6 allows a remote attacker to execute arbitrary SQL
> commands via the "id" parameter.
>
> ------------------------------------------
>
> [Additional Information]
> This CMS specialty designed for managing the conferences. most of
> scientific conferences in IRAN use this CMS to manage the users to
> submit articles and also a voting platform for reviewers to select the
> best articles. Based on my report a remote attacker can gain access
> databases and all users, reviewers and articles private information
> will be disclose.
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> asanhamayesh.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> CMS - 3.4.6
>
> ------------------------------------------
>
> [Affected Component]
> Databases, all users information, reviewers personal information, private articles.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker as a normal user would use a simple SQL injection.
>
> ------------------------------------------
>
> [Reference]
> http://itjdconf.ir/fa/files.php?id=2
>
> ------------------------------------------
>
> [Discoverer]
> Ali Abdollahi