Affected Component
Description
In Simple Exam Reviewer Management System v1.0 the User List function suffers from insecure file upload.
Steps to reproduce
Login as a low privileged user
Navigate to below mentioned endpoint
"/admin/?page=user/list"
Choose any user and click on action and select edit
There will be an avatar upload function for the user , where any file can be uploded .
It is possible to upload any malicious files which includes php file for remote code execution,svg for Cross site scripting and so on.
Impact
Insecure file upload leads to Remote code execution and Cross site scripting.