Description
LabCollector 6.0 though 6.15 allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The vulnerability is in the message function, and is due to insufficient validation of the file (such as shell.jpg.php.shell) being sent.
Exploits (1)
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://github.com/Toxich4/CVE-2023-33253
Product
https://labcollector.com/
Release Notes
https://labcollector.com/changelog-labcollector/
Scores
CVSS v3
8.8
EPSS
0.4435
EPSS Percentile
97.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
agilebio/labcollector
6.0 - 6.15
Published
Jun 12, 2023
Tracked Since
Feb 18, 2026