Multiple SQL injection vulnerabilities in login2.php in XRay CMS 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.
https://exchange.xforce.ibmcloud.com/vulnerabilities/73000
http://sourceforge.net/tracker/?func=detail&aid=3488241&group_id=298778&atid=1260461
http://archives.neohapsis.com/archives/bugtraq/2012-02/0068.html