PT-2023-24247 · Unknown · Labcollector
Toxich4
·
Publicado
2023-06-12
·
Atualizado
2023-07-21
·
CVE-2023-33253
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LabCollector versions 6.0 through 6.15
Description
The issue allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The problem is due to insufficient validation of the file being sent, such as files with names like
shell.jpg.php.shell. This vulnerability is in the message function.Recommendations
For versions 6.0 through 6.15, consider disabling the
message function until a patch is available to prevent remote code execution. Restrict access to file uploads to minimize the risk of exploitation. Avoid using the file upload feature in the affected versions until the issue is resolved.Exploit
Correção
Unrestricted File Upload
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Labcollector