CVE-2018-18382

Advanced HRM 1.6 is affected by CVE-2018-18382, which enables Remote Code Execution via PHP code uploaded to a .php file at the user/update-user-avatar URI, accessible through the Update Profile/Change Picture flow (user/edit-profile). The issue is tied to the specific endpoint path used for upda...