Cyber Resilience

CVE-2023-51302

HighPublic PoC

Published: 19 February 2025

Published
19 February 2025
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51302 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Hotel Booking System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-51302 is a CSV injection vulnerability in PHPJabbers Hotel Booking System version 4.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This enables attackers to embed malicious payloads into exported CSV content.

An unauthenticated attacker (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as an administrator opening the exported CSV file in a spreadsheet application like Excel. Successful exploitation leads to remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The issue maps to CWE-1236.

Advisories and details are available in references including the Packet Storm Security report at http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html and the vendor product page at https://www.phpjabbers.com/hotel-booking-system/#sectionDemo. Security practitioners should review these for recommended mitigations, such as input validation updates or restricting CSV exports.

EU & UK References

Vulnerability details

PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…

more

to construct CSV file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CVE enables injection of malicious CSV payloads via the web app (T1190) that execute on victim open (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51301Same product: Phpjabbers Hotel Booking System
CVE-2023-51333Same vendor: Phpjabbers
CVE-2023-51319Same vendor: Phpjabbers
CVE-2023-51311Same vendor: Phpjabbers
CVE-2023-51336Same vendor: Phpjabbers
CVE-2023-46401Shared CWE-1236
CVE-2020-36962Shared CWE-1236
CVE-2024-45084Shared CWE-1236
CVE-2023-51313Same vendor: Phpjabbers
CVE-2025-55745Shared CWE-1236

Affected Assets

phpjabbers
hotel booking system
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient input validation in the Languages section Labels field that allows embedding malicious payloads into CSV files.

prevent

Filters CSV file outputs to sanitize user-supplied data and prevent injection of payloads exploitable in spreadsheet applications.

prevent

Ensures timely identification, reporting, and correction of the CSV injection flaw in PHPJabbers Hotel Booking System v4.0.

References