CVE-2023-51336
Published: 20 February 2025
Summary
CVE-2023-51336 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Phpjabbers Meeting Room Booking System. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mandates validation of user-supplied inputs in the Languages section Labels field to block malicious CSV injection payloads.
SI-15 requires filtering of CSV file outputs to encode or neutralize injected formulas, preventing remote code execution when opened in spreadsheet applications.
SI-2 ensures timely identification, reporting, and correction of the specific input validation flaw enabling CSV injection.
NVD Description
PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is…
more
used to construct CSV file.
Deeper analysisAI
CVE-2023-51336 is a CSV injection vulnerability in PHPJabbers Meeting Room Booking System v1.0. The flaw arises from insufficient input validation in the Languages section's Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This allows injection of malicious payloads, such as formulas, leading to remote code execution. The vulnerability is associated with CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By injecting crafted input into the affected field, the attacker can embed executable code in the resulting CSV file, which executes when opened in applications like spreadsheet software, achieving remote code execution with high impacts on confidentiality, integrity, and availability.
Advisories detailing the vulnerability, including a proof-of-concept, are available via PacketStormsecurity references such as https://packetstorm.news/files/id/176518 and http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html. The vendor's demo page at https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo provides additional context on the affected software, though no specific patches or mitigations are detailed in the provided information.
Details
- CWE(s)