CVE-2023-51333
Published: 20 February 2025
Summary
CVE-2023-51333 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Cinema Booking System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-51333 is a CSV Injection vulnerability affecting PHPJabbers Cinema Booking System version 1.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This issue, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-20.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious payloads into the vulnerable field, the attacker can embed formulas or commands in the generated CSV file. When a higher-privileged user, like an administrator, exports and opens the CSV in a spreadsheet application, the payload executes remote code on the victim's system, potentially leading to high impacts on confidentiality, integrity, and availability.
Advisories referenced in PacketStorm (e.g., http://packetstormsecurity.com/files/176511/PHPJabbers-Cinema-Booking-System-1.0-CSV-Injection.html) detail the vulnerability and proof-of-concept, while the vendor's demo page (https://www.phpjabbers.com/cinema-booking-system/#sectionDemo) provides context on the affected software. No specific patches or mitigation steps from the vendor are mentioned in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56054
Vulnerability details
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used…
more
to construct CSV file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSV injection directly enables creation of malicious file (T1204.002) containing formulas that execute commands on victim open.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient input validation in the Languages section Labels field that enables injection of malicious CSV payloads.
Filters user-supplied data during CSV file construction to block executable formulas or commands when opened in spreadsheet applications.
Ensures timely identification, reporting, and correction of the CSV injection flaw through systematic flaw remediation processes.