The user name field of the CUA Module Login does not sanitize user input allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is possible to comment out the password check allowing an attacker to log in with the first available user name in the table. After performing this several times or by searching through the "Accounts" tab within the CUA Module an attacker can gather a list of all users. With this list an attacker can select an administrator account and log in with this by simply entering the user name followed by "--".

http://www.securiteam.com/unixfocus/5GP0O15OUE.html