CVE-2023-33253

Name of the Vulnerable Software and Affected Versions LabCollector versions 6.0 through 6.15

Description The issue allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The problem is due to insufficient validation of the file being sent, such as files with names like shell.jpg.php.shell. This vulnerability is in the message function.

Recommendations For versions 6.0 through 6.15, consider disabling the message function until a patch is available to prevent remote code execution. Restrict access to file uploads to minimize the risk of exploitation. Avoid using the file upload feature in the affected versions until the issue is resolved.