CVE-2023-51333
Published: 20 February 2025
Summary
CVE-2023-51333 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Cinema Booking System. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the insufficient input validation in the Languages section Labels field that enables injection of malicious CSV payloads.
Filters user-supplied data during CSV file construction to block executable formulas or commands when opened in spreadsheet applications.
Ensures timely identification, reporting, and correction of the CSV injection flaw through systematic flaw remediation processes.
NVD Description
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
Deeper analysisAI
CVE-2023-51333 is a CSV Injection vulnerability affecting PHPJabbers Cinema Booking System version 1.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This issue, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-20.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious payloads into the vulnerable field, the attacker can embed formulas or commands in the generated CSV file. When a higher-privileged user, like an administrator, exports and opens the CSV in a spreadsheet application, the payload executes remote code on the victim's system, potentially leading to high impacts on confidentiality, integrity, and availability.
Advisories referenced in PacketStorm (e.g., http://packetstormsecurity.com/files/176511/PHPJabbers-Cinema-Booking-System-1.0-CSV-Injection.html) detail the vulnerability and proof-of-concept, while the vendor's demo page (https://www.phpjabbers.com/cinema-booking-system/#sectionDemo) provides context on the affected software. No specific patches or mitigation steps from the vendor are mentioned in the available references.
Details
- CWE(s)