CVE-2023-46400

Critical

Published: 23 January 2025

Published

23 January 2025

Modified

07 February 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46400 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Kwhotel Kwhotel. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of the specific CSV formula injection flaw in KWHotel's add guest function.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates filtering of information output to prevent malicious formulas from being embedded in CSV files generated by the add guest function.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of inputs to the add guest function, rejecting malicious payloads that could lead to formula injection in CSV exports.

NVD Description

KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.

Deeper analysisAI

KWHotel version 0.47 is affected by CVE-2023-46400, a CSV Formula Injection vulnerability present in the add guest function. This flaw, associated with CWE-1236, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. Exploitation involves injecting malicious formulas into CSV output generated by the add guest function, potentially leading to arbitrary code execution when the file is processed by spreadsheet applications.

Advisories and further technical details are available in the referenced GitHub gist at https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056. Security practitioners should consult this source for exploitation proofs, patch information, or workarounds specific to KWHotel deployments.

Details

CWE(s): CWE-1236

Affected Products

kwhotel

0.47

CVEs Like This One

CVE-2023-46401Same product: Kwhotel Kwhotel

CVE-2024-55532Shared CWE-1236

CVE-2020-36962Shared CWE-1236

CVE-2020-36941Shared CWE-1236

CVE-2023-51311Shared CWE-1236

CVE-2025-50572Shared CWE-1236

CVE-2025-55745Shared CWE-1236

CVE-2023-51319Shared CWE-1236

CVE-2021-47901Shared CWE-1236

CVE-2023-51336Shared CWE-1236

References

https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Third Party Advisory · cve@mitre.org
https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0