CVE-2023-51319
Published: 20 February 2025
Summary
CVE-2023-51319 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Bus Reservation System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-51319 is a CSV Injection vulnerability in PHPJabbers Bus Reservation System version 1.1. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This flaw enables attackers to embed malicious payloads in exported CSV content.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening the CSV file in a spreadsheet application like Excel. Successful exploitation allows remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The vulnerability is associated with CWE-1236.
Advisories detailing the vulnerability are available from Packet Storm Security at https://packetstorm.news/files/id/176500 and http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html. The vendor's product page, including a demo section, is at https://www.phpjabbers.com/bus-reservation-system/#sectionDemo. No specific patch or mitigation guidance is detailed in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56040
Vulnerability details
PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSV Injection enables embedding of malicious formulas/payloads in exported files that execute code on victim open in Excel/spreadsheets (T1204.002 Malicious File).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Filters and sanitizes user-supplied data prior to CSV export, preventing malicious formula injection payloads from being executable when opened in spreadsheet applications.
Enforces validation of inputs in the Languages section Labels parameters to reject malicious payloads before they are stored and used in CSV construction.
Requires timely identification and correction of the specific flaw in CSV file construction due to insufficient input handling in the System Options module.