CVE-2023-51302
Published: 19 February 2025
Summary
CVE-2023-51302 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Hotel Booking System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-51302 is a CSV injection vulnerability in PHPJabbers Hotel Booking System version 4.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This enables attackers to embed malicious payloads into exported CSV content.
An unauthenticated attacker (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as an administrator opening the exported CSV file in a spreadsheet application like Excel. Successful exploitation leads to remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The issue maps to CWE-1236.
Advisories and details are available in references including the Packet Storm Security report at http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html and the vendor product page at https://www.phpjabbers.com/hotel-booking-system/#sectionDemo. Security practitioners should review these for recommended mitigations, such as input validation updates or restricting CSV exports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56023
Vulnerability details
PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables injection of malicious CSV payloads via the web app (T1190) that execute on victim open (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient input validation in the Languages section Labels field that allows embedding malicious payloads into CSV files.
Filters CSV file outputs to sanitize user-supplied data and prevent injection of payloads exploitable in spreadsheet applications.
Ensures timely identification, reporting, and correction of the CSV injection flaw in PHPJabbers Hotel Booking System v4.0.