CVE-2018-18382

Name of the Vulnerable Software and Affected Versions Advanced HRM version 1.6

Description The issue allows for Remote Code Execution via PHP code in a .php file to the "user/update-user-avatar" URI. This can be accessed through an "Update Profile" "Change Picture" action, also known as "user/edit-profile".

Recommendations For Advanced HRM version 1.6, consider restricting access to the "user/update-user-avatar" URI until a patch is available. As a temporary workaround, avoid using the "Update Profile" "Change Picture" action to minimize the risk of exploitation.