CVE-2023-46401
Published: 23 January 2025
Summary
CVE-2023-46401 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Kwhotel Kwhotel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-46401 is a CSV Formula Injection vulnerability in the invoice adding function of KWHotel version 0.47. Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-1236.
The vulnerability can be exploited by any unauthenticated remote attacker over the network, requiring low complexity and no user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability.
Mitigation details are available in the referenced advisory at https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50621
Vulnerability details
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing web app via invoice CSV injection directly matches T1190; resulting malicious formula payload in CSV file opened by victim enables T1204.002.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates user inputs in the invoice adding function to block malicious formulas from being injected into CSV outputs.
Filters CSV outputs to encode special characters, preventing formula injection when files are opened in spreadsheet applications.
Requires timely remediation of the specific flaw in KWHotel 0.47 via patching to eliminate the CSV formula injection vulnerability.