The Public Media Manager <= 1.3 has a vulnerability in the forms_dir parameter of the comcal/calmenu.php file. An attacker can include a remote file using the forms_dir parameter, which can lead to remote code execution.
This product, an online NEWS CMS, suffers from SQL injection in login so that we can bypass the login system. Also, it suffers from SQLi in the GET variables which can be exploited to get different information from the database.