Cyber Resilience

CVE-2023-51336

HighPublic PoC

Published: 20 February 2025

Published
20 February 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51336 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Meeting Room Booking System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-51336 is a CSV injection vulnerability in PHPJabbers Meeting Room Booking System v1.0. The flaw arises from insufficient input validation in the Languages section's Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This allows injection of malicious payloads, such as formulas, leading to remote code execution. The vulnerability is associated with CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By injecting crafted input into the affected field, the attacker can embed executable code in the resulting CSV file, which executes when opened in applications like spreadsheet software, achieving remote code execution with high impacts on confidentiality, integrity, and availability.

Advisories detailing the vulnerability, including a proof-of-concept, are available via PacketStormsecurity references such as https://packetstorm.news/files/id/176518 and http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html. The vendor's demo page at https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo provides additional context on the affected software, though no specific patches or mitigations are detailed in the provided information.

EU & UK References

Vulnerability details

PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is…

more

used to construct CSV file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

CSV injection enables creation of malicious file (T1204.002) whose formula payload executes via Windows command shell (T1059.003) on open in spreadsheet software.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51333Same vendor: Phpjabbers
CVE-2023-51319Same vendor: Phpjabbers
CVE-2023-51311Same vendor: Phpjabbers
CVE-2023-51302Same vendor: Phpjabbers
CVE-2025-67851Shared CWE-1236
CVE-2023-54348Shared CWE-1236
CVE-2021-47901Shared CWE-1236
CVE-2023-51313Same vendor: Phpjabbers
CVE-2020-36941Shared CWE-1236
CVE-2023-51316Same vendor: Phpjabbers

Affected Assets

phpjabbers
meeting room booking system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates validation of user-supplied inputs in the Languages section Labels field to block malicious CSV injection payloads.

prevent

SI-15 requires filtering of CSV file outputs to encode or neutralize injected formulas, preventing remote code execution when opened in spreadsheet applications.

prevent

SI-2 ensures timely identification, reporting, and correction of the specific input validation flaw enabling CSV injection.

References