CVE-2023-33253

HIGH

LabCollector 6.0-6.15 - Authenticated Remote Code Execution via Message Function File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-33253. PoCs published by Toxich4.

AI-analyzed exploit summary This exploit leverages an authenticated arbitrary file upload vulnerability in LabCollector (CVE-2023-33253) to upload a malicious PHP file with a deceptive extension (e.g., shell.jpg.php.shell) and execute system commands via a GET parameter. The PoC includes authentication, file upload, and command execution functionality.

Description

LabCollector 6.0 though 6.15 allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The vulnerability is in the message function, and is due to insufficient validation of the file (such as shell.jpg.php.shell) being sent.

Exploits (1)

nomisec WORKING POC 4 stars
by Toxich4 · poc
https://github.com/Toxich4/CVE-2023-33253

This exploit leverages an authenticated arbitrary file upload vulnerability in LabCollector (CVE-2023-33253) to upload a malicious PHP file with a deceptive extension (e.g., shell.jpg.php.shell) and execute system commands via a GET parameter. The PoC includes authentication, file upload, and command execution functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LabCollector <= 6.15
Auth required
Prerequisites: Valid credentials for LabCollector · Network access to the target · File upload endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0251
EPSS Percentile 82.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
agilebio/labcollector 6.0 - 6.15
Published Jun 12, 2023
Tracked Since Feb 18, 2026