Due to a lack of input sanitisation and auto-removal of the installation script, an unauthenticated user is able to re-purpose the connect.php file to gain remote code execution.

Using an SQL injection vulnerability, arbitrary markup can be reflected back to the user, achieving JavaScript execution in the context of the authenticated user.

Due to a lack of input sanitisation, arbitrary `SELECT` statements can be executed and the results viewed in the field management page.

Whilst doing some research this evening, I acquired a plugin from an unofficial distributor. When doing exploit development, I do so in an isolated environment with all external network access disabled, for situations such as these.

Reading barcodes in Android from the Panasonic FZ-N1 barcode scanner is natively achievable via the dispatchKeyEvent method within an Activity.