Cyber Resilience

CVE-2023-51319

HighPublic PoC

Published: 20 February 2025

Published
20 February 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51319 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Bus Reservation System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-51319 is a CSV Injection vulnerability in PHPJabbers Bus Reservation System version 1.1. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This flaw enables attackers to embed malicious payloads in exported CSV content.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening the CSV file in a spreadsheet application like Excel. Successful exploitation allows remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The vulnerability is associated with CWE-1236.

Advisories detailing the vulnerability are available from Packet Storm Security at https://packetstorm.news/files/id/176500 and http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html. The vendor's product page, including a demo section, is at https://www.phpjabbers.com/bus-reservation-system/#sectionDemo. No specific patch or mitigation guidance is detailed in the provided references.

EU & UK References

Vulnerability details

PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…

more

to construct CSV file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CSV Injection enables embedding of malicious formulas/payloads in exported files that execute code on victim open in Excel/spreadsheets (T1204.002 Malicious File).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51316Same product: Phpjabbers Bus Reservation System
CVE-2023-51333Same vendor: Phpjabbers
CVE-2023-51311Same vendor: Phpjabbers
CVE-2023-51302Same vendor: Phpjabbers
CVE-2023-51336Same vendor: Phpjabbers
CVE-2026-23873Shared CWE-1236
CVE-2023-51313Same vendor: Phpjabbers
CVE-2025-56267Shared CWE-1236
CVE-2025-50572Shared CWE-1236
CVE-2025-67851Shared CWE-1236

Affected Assets

phpjabbers
bus reservation system
1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters and sanitizes user-supplied data prior to CSV export, preventing malicious formula injection payloads from being executable when opened in spreadsheet applications.

prevent

Enforces validation of inputs in the Languages section Labels parameters to reject malicious payloads before they are stored and used in CSV construction.

prevent

Requires timely identification and correction of the specific flaw in CSV file construction due to insufficient input handling in the System Options module.

References