CVE-2023-51302

HighPublic PoC

Published: 19 February 2025

Published

19 February 2025

Modified

23 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51302 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Hotel Booking System. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the insufficient input validation in the Languages section Labels field that allows embedding malicious payloads into CSV files.

SI-15 Information Output Filtering good match

prevent

Filters CSV file outputs to sanitize user-supplied data and prevent injection of payloads exploitable in spreadsheet applications.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and correction of the CSV injection flaw in PHPJabbers Hotel Booking System v4.0.

NVD Description

PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…

to construct CSV file.

Deeper analysisAI

CVE-2023-51302 is a CSV injection vulnerability in PHPJabbers Hotel Booking System version 4.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This enables attackers to embed malicious payloads into exported CSV content.

An unauthenticated attacker (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as an administrator opening the exported CSV file in a spreadsheet application like Excel. Successful exploitation leads to remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The issue maps to CWE-1236.

Advisories and details are available in references including the Packet Storm Security report at http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html and the vendor product page at https://www.phpjabbers.com/hotel-booking-system/#sectionDemo. Security practitioners should review these for recommended mitigations, such as input validation updates or restricting CSV exports.

Details

CWE(s): CWE-1236

Affected Products

phpjabbers

hotel booking system

4.0

CVEs Like This One

CVE-2023-51301Same product: Phpjabbers Hotel Booking System

CVE-2023-51311Same vendor: Phpjabbers

CVE-2023-51319Same vendor: Phpjabbers

CVE-2023-51336Same vendor: Phpjabbers

CVE-2023-51333Same vendor: Phpjabbers

CVE-2023-51293Same vendor: Phpjabbers

CVE-2023-53926Same vendor: Phpjabbers

CVE-2023-51313Same vendor: Phpjabbers

CVE-2023-51316Same vendor: Phpjabbers

CVE-2024-57428Same vendor: Phpjabbers

References

http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html
Exploit, Third Party Advisory, VDB Entry · cve@mitre.org
https://www.phpjabbers.com/hotel-booking-system/#sectionDemo
Product · cve@mitre.org