SQL injection vulnerability exists on ldapfilter_list.php. Failure to properly escape the $_POST["cbox"] variable leaves the Delete operations vulnerable to SQL injection.
Access to this page requires a user to first successfully authenticate and log into the K1000 web-based management console.
The recommended mitigation is to create roles for the user population in order to restrict access to the Label Management page to system admins only (those in an admin role). More information about configuring roles on a K1000 may be found in the K1000 Systems Management Appliance - Administrator Guide
This situation was addressed in version 6.4.119927 of the SMA (KACE Systems Management Appliance).