CVE-2023-51311

HighPublic PoC

Published: 20 February 2025

Published

20 February 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51311 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Car Park Booking System. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient input validation in the Languages section by requiring validation mechanisms to block malicious payloads before CSV construction.

SI-15 Information Output Filtering good match

prevent

Filters output in generated CSV files to neutralize injected formulas or commands that could execute in spreadsheet applications.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified flaw in CSV injection handling to prevent exploitation.

NVD Description

PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is…

used to construct CSV file.

Deeper analysisAI

CVE-2023-51311 is a CSV Injection vulnerability in PHPJabbers Car Park Booking System version 3.0. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This flaw, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit the vulnerability remotely with low complexity and no user interaction required. By injecting malicious payloads into the affected field, the attacker can embed executable formulas or commands in the resulting CSV file, potentially leading to remote code execution when the file is opened in a spreadsheet application like Microsoft Excel.

Packet Storm advisories, such as those at https://packetstorm.news/files/id/176494 and http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html, detail the vulnerability and proof-of-concept exploit. No patches or specific mitigations are described in the provided references.

Details

CWE(s): CWE-1236

Affected Products

phpjabbers

car park booking system

3.0

CVEs Like This One

CVE-2023-51319Same vendor: Phpjabbers

CVE-2023-51336Same vendor: Phpjabbers

CVE-2023-51333Same vendor: Phpjabbers

CVE-2023-51302Same vendor: Phpjabbers

CVE-2023-51293Same vendor: Phpjabbers

CVE-2023-51301Same vendor: Phpjabbers

CVE-2023-53926Same vendor: Phpjabbers

CVE-2023-51313Same vendor: Phpjabbers

CVE-2023-51316Same vendor: Phpjabbers

CVE-2024-57428Same vendor: Phpjabbers

References

https://packetstorm.news/files/id/176494
Exploit, Third Party Advisory · cve@mitre.org
https://www.phpjabbers.com/car-park-booking/#sectionDemo
Product · cve@mitre.org
http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html
af854a3a-2127-422b-91ae-364da2661108
https://packetstorm.news/files/id/176494
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0