CVE-2023-46401
Published: 23 January 2025
Summary
CVE-2023-46401 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Kwhotel Kwhotel. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates user inputs in the invoice adding function to block malicious formulas from being injected into CSV outputs.
Filters CSV outputs to encode special characters, preventing formula injection when files are opened in spreadsheet applications.
Requires timely remediation of the specific flaw in KWHotel 0.47 via patching to eliminate the CSV formula injection vulnerability.
NVD Description
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
Deeper analysisAI
CVE-2023-46401 is a CSV Formula Injection vulnerability in the invoice adding function of KWHotel version 0.47. Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-1236.
The vulnerability can be exploited by any unauthenticated remote attacker over the network, requiring low complexity and no user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability.
Mitigation details are available in the referenced advisory at https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056.
Details
- CWE(s)