eFront LMS v3.6.14 - build 18012 Multiple Vulnerabilities

eFront LMS v3.6.14 - build 18012 is vulnerable to :

1. Arbitrary File Upload & Internal Path Disclosure 

2. Access to restricted folder ( Backup )

[-] Disclosure timeline:

--------------------------------

[13/12/2013] - Vulnerabilities discovered

[13/12/2013] - Issues reported to Vendor by E-Mail

[17/12/2013] - Vendor update released [ v3.6.14.2 - build 18013 - build 18013 ]: http://forum.efrontlearning.net/viewtopic.php?f=15&t=8522

[18/12/2013] - Public disclosure

Details has been published on : 

http://packetstormsecurity.com/files/124595/eFront-LMS-3.6.14-File-Upload-Path-Disclosure.html

http://secunia.com/advisories/50502/