Cyber Resilience

CVE-2023-51313

HighPublic PoCRCE

Published: 20 February 2025

Published
20 February 2025
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51313 is a high-severity Code Injection (CWE-94) vulnerability in Phpjabbers Restaurant Booking System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

PHPJabbers Restaurant Booking System version 3.0 is affected by CVE-2023-51313, a CSV injection vulnerability stemming from insufficient input validation in the Languages section's Labels any parameters field within System Options. This flaw enables attackers to inject malicious payloads into data that is subsequently used to construct CSV files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and is associated with CWE-94 (Code Injection), potentially allowing remote code execution.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by submitting crafted input into the vulnerable field. Exploitation requires user interaction (UI:R), such as an administrator opening the generated CSV file in a spreadsheet application like Microsoft Excel, which interprets the injected formula or command. Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling remote code execution on the victim's system.

Advisories, including details from Packet Storm Security and the vendor's product page, highlight the vulnerability but do not specify patches or mitigations in the provided information. Security practitioners should review these references for exploit details and consider input sanitization or disabling CSV exports until remediation is confirmed.

EU & UK References

Vulnerability details

PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…

more

to construct CSV file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CSV injection directly enables crafting of malicious files (formulas/commands) that execute on user open in spreadsheet apps, mapping to T1204.002 User Execution: Malicious File for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51314Same product: Phpjabbers Restaurant Booking System
CVE-2023-51311Same vendor: Phpjabbers
CVE-2023-51333Same vendor: Phpjabbers
CVE-2023-51319Same vendor: Phpjabbers
CVE-2025-61982Shared CWE-94
CVE-2026-3476Shared CWE-94
CVE-2026-42214Shared CWE-94
CVE-2023-51336Same vendor: Phpjabbers
CVE-2024-27856Shared CWE-94
CVE-2025-24243Shared CWE-94

Affected Assets

phpjabbers
restaurant booking system
3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient input validation in the Languages section Labels field that enables CSV injection payloads.

prevent

Filters information output to CSV files to neutralize malicious payloads before they are interpreted by spreadsheet applications.

prevent

Ensures timely remediation of the specific flaw causing lack of input validation for CSV export data.

References