Plain text clients' password in database
Client's passwords are stored in plaint text (sys_user.passwort) which is unaccepted. I know that you need it for scripts run but this means that there are some architectural misconception. I think that - for quick patch you should delete passwort as soon as scripts do their jobs. Clients should have their passwords stored in hashed form