diff --git a/admin/admin_settings_save.php b/admin/admin_settings_save.php
index 900b70ef..dbec28e6 100644
--- a/admin/admin_settings_save.php
+++ b/admin/admin_settings_save.php
@@ -502,19 +502,30 @@ if ($set['login_background_type'] == 'color') {
     unlink($hesk_settings['cache_dir'] . '/' . $set['login_background']);
     $set['login_background'] = hesk_input(hesk_POST('login-background-color'));
 } else {
-    $file_name = $_FILES['login-attachment-image']['name'];
+    $file_name = hesk_cleanFileName($_FILES['login-attachment-image']['name']);
 
     if (!empty($file_name)) {
-        unlink($hesk_settings['cache_dir'] . '/' . $set['login_background']);
-
         $file_size = $_FILES['login-attachment-image']['size'];
         if ($file_size > $hesk_settings['attachments']['max_size']) {
             return hesk_fileError(sprintf($hesklang['file_too_large'], $file_name));
         }
 
+        unlink($hesk_settings['cache_dir'] . '/login-background/' . $set['login_background']);
+
+        $useChars = 'AEUYBDGHJLMNPQRSTVWXZ123456789';
+        $tmp = uniqid();
+        for ($j = 1; $j < 10; $j++) {
+            $tmp .= $useChars{mt_rand(0, 29)};
+        }
+
+        $file_to_move = $_FILES['login-attachment-image']['tmp_name'];
+        if (!move_uploaded_file($file_to_move, __DIR__ . '/../' . $hesk_settings['cache_dir'] . '/login-background/' . $file_name)) {
+            hesk_error($hesklang['cannot_move_tmp']);
+        }
+
+        $set['login_background'] = $file_name;
     }
 }
-$set['login_background'] = hesk_input(hesk_POST('login-background'));
 mfh_updateSetting('rtl', $set['rtl']);
 mfh_updateSetting('show_icons', $set['show-icons']);
 mfh_updateSetting('custom_field_setting', $set['custom-field-setting']);