Paros 3.2.5 uses a default password for the "sa" account in the underlying HSQLDB database and does not restrict access to the local machine, which allows remote attackers to gain privileges.
https://exchange.xforce.ibmcloud.com/vulnerabilities/22557
http://www.securityfocus.com/bid/15141
http://www.securityfocus.com/archive/1/423446/100/0/threaded
http://www.gentoo.org/security/en/glsa/glsa-200601-15.xml