A flaw in Seotoaster can be used to launch SQL injection attack. Input data passed via „login“ parameter to sys/login/index and via „memberLoginName“ to sys/login/member are not properly sanitized in „selectUserIdByLoginPass()“ function before being used in SQL queries. It is possible to exploit the flaw to inject arbitrary SQL code and bypass authentication.
The flaw was found in version 1.9. The vendor released patched version 1.9a.

Source: Secunia
16.12.2011