DEVOME GRR
The DEVOME GRR before 3.4.1c is vulnerable to a file upload restriction bypass that allow remote code execution.
To exploit this vulnerability an attacker must be authenticated with admin privileges.
On the resource's edit page (admin_edit_room.php), he can bypass the image upload control using a malicious php script with the extensions ".php.png", ".php.gif" or ".php.jpg" and get code execution by accessing the uploaded php script in the directory /images/.
The name of the script on the server is displayed on the admin_edit_room.php after being uploaded.