C-Stoop

**Name of the Vulnerable Software and Affected Versions** LH-EHR version REL-2 0 0 **Description** The issue concerns an Arbitrary File Upload vulnerability in the Profile picture upload feature, which can lead to Remote Code Execution. This can be exploited by uploading a PHP file with an image MIME type. **Recommendations** For LH-EHR version REL-2 0 0, consider disabling the Profile picture upload feature until a patch is available to prevent exploitation. Restrict access to the upload functionality to minimize the risk of Remote Code Execution. Avoid using the Profile picture upload feature with unvalidated user input until the issue is resolved.