CVE-2023-51319
Published: 20 February 2025
Summary
CVE-2023-51319 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Bus Reservation System. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters and sanitizes user-supplied data prior to CSV export, preventing malicious formula injection payloads from being executable when opened in spreadsheet applications.
Enforces validation of inputs in the Languages section Labels parameters to reject malicious payloads before they are stored and used in CSV construction.
Requires timely identification and correction of the specific flaw in CSV file construction due to insufficient input handling in the System Options module.
NVD Description
PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
Deeper analysisAI
CVE-2023-51319 is a CSV Injection vulnerability in PHPJabbers Bus Reservation System version 1.1. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This flaw enables attackers to embed malicious payloads in exported CSV content.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening the CSV file in a spreadsheet application like Excel. Successful exploitation allows remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The vulnerability is associated with CWE-1236.
Advisories detailing the vulnerability are available from Packet Storm Security at https://packetstorm.news/files/id/176500 and http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html. The vendor's product page, including a demo section, is at https://www.phpjabbers.com/bus-reservation-system/#sectionDemo. No specific patch or mitigation guidance is detailed in the provided references.
Details
- CWE(s)