Vulnerability exists in /attachments routing

After logging in to the background, there is an interface for uploading arbitrary files. You can upload php files by building network packages to obtain webshell