Cyber Resilience

CVE-2023-46401

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
04 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46401 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Kwhotel Kwhotel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-46401 is a CSV Formula Injection vulnerability in the invoice adding function of KWHotel version 0.47. Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-1236.

The vulnerability can be exploited by any unauthenticated remote attacker over the network, requiring low complexity and no user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisory at https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056.

EU & UK References

Vulnerability details

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Remote unauthenticated exploitation of public-facing web app via invoice CSV injection directly matches T1190; resulting malicious formula payload in CSV file opened by victim enables T1204.002.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-46400Same product: Kwhotel Kwhotel
CVE-2023-51302Shared CWE-1236
CVE-2020-36962Shared CWE-1236
CVE-2024-45084Shared CWE-1236
CVE-2025-55745Shared CWE-1236
CVE-2026-35157Shared CWE-1236
CVE-2023-53913Shared CWE-1236
CVE-2023-51333Shared CWE-1236
CVE-2024-55532Shared CWE-1236
CVE-2026-23873Shared CWE-1236

Affected Assets

kwhotel
kwhotel
0.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates user inputs in the invoice adding function to block malicious formulas from being injected into CSV outputs.

prevent

Filters CSV outputs to encode special characters, preventing formula injection when files are opened in spreadsheet applications.

prevent

Requires timely remediation of the specific flaw in KWHotel 0.47 via patching to eliminate the CSV formula injection vulnerability.

References