SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.

Unrestricted file upload vulnerability in iScripts SocialWare allows remote authenticated administrators to upload arbitrary files via a crafted logo file in the "Manage Settings" functionality. NOTE: remote exploitation is facilitated by a separate SQL injection vulnerability.

iScripts SocialWare stores passwords in cleartext in a database, which allows context-dependent attackers to obtain sensitive information.