CVE-2023-51313
Published: 20 February 2025
Summary
CVE-2023-51313 is a high-severity Code Injection (CWE-94) vulnerability in Phpjabbers Restaurant Booking System. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the insufficient input validation in the Languages section Labels field that enables CSV injection payloads.
Filters information output to CSV files to neutralize malicious payloads before they are interpreted by spreadsheet applications.
Ensures timely remediation of the specific flaw causing lack of input validation for CSV export data.
NVD Description
PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
Deeper analysisAI
PHPJabbers Restaurant Booking System version 3.0 is affected by CVE-2023-51313, a CSV injection vulnerability stemming from insufficient input validation in the Languages section's Labels any parameters field within System Options. This flaw enables attackers to inject malicious payloads into data that is subsequently used to construct CSV files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and is associated with CWE-94 (Code Injection), potentially allowing remote code execution.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by submitting crafted input into the vulnerable field. Exploitation requires user interaction (UI:R), such as an administrator opening the generated CSV file in a spreadsheet application like Microsoft Excel, which interprets the injected formula or command. Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling remote code execution on the victim's system.
Advisories, including details from Packet Storm Security and the vendor's product page, highlight the vulnerability but do not specify patches or mitigations in the provided information. Security practitioners should review these references for exploit details and consider input sanitization or disabling CSV exports until remediation is confirmed.
Details
- CWE(s)