LabCollector 6.0 though 6.15 allows remote code execution An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The vulnerability is in the message function, and is due to insufficient validation of the file (such as shell.jpg.php.shell) being sent. Tested on Windows Server 2019 x64
How to use:
python CVE-2023-33253 -t 127.0.0.1 -u user -p user
PoC:
