SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and earlier allows remote attackers to execute arbitrary SQL commands via the query string.
https://exchange.xforce.ibmcloud.com/vulnerabilities/51658
http://www.exploit-db.com/exploits/9121