CVE-2023-51311
Published: 20 February 2025
Summary
CVE-2023-51311 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Car Park Booking System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-51311 is a CSV Injection vulnerability in PHPJabbers Car Park Booking System version 3.0. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This flaw, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit the vulnerability remotely with low complexity and no user interaction required. By injecting malicious payloads into the affected field, the attacker can embed executable formulas or commands in the resulting CSV file, potentially leading to remote code execution when the file is opened in a spreadsheet application like Microsoft Excel.
Packet Storm advisories, such as those at https://packetstorm.news/files/id/176494 and http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html, detail the vulnerability and proof-of-concept exploit. No patches or specific mitigations are described in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56032
Vulnerability details
PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is…
more
used to construct CSV file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSV injection enables creation of malicious file (T1204.002) that executes commands on open in spreadsheet apps.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient input validation in the Languages section by requiring validation mechanisms to block malicious payloads before CSV construction.
Filters output in generated CSV files to neutralize injected formulas or commands that could execute in spreadsheet applications.
Requires timely remediation of the identified flaw in CSV injection handling to prevent exploitation.