A flaw in DoceboLMS can be exploited to attack user’s system. It is due to improper verification of input data passed to „message[attach]“ parameter in index.php. The data are used to download files. An attacker may use the flaw to upload and execute arbitrary PHP files.
Flaw was found in version 4.0.4.

Source: Secunia
13.12.2011