A flaw was found in ICTimeAttendance. The vulnerability allows to launch SQL injection attack. Input data passed via „passw“ parameter to checklogin.aspx are not properly sanitised before being used in SQL queries. It can be exploited to manipulate queries by crafted SQL code. The vulnerability was confirmed in version 1.0. Other versions may be vulnerable also.

Source: Secunia
23.01.2012