Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp.
https://www.exploit-db.com/exploits/3068
https://exchange.xforce.ibmcloud.com/vulnerabilities/31235