CVE-2023-53913

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53913 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Rukovoditel Rukovoditel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Filters firstname field content during CSV export to neutralize formula injection payloads like =calc|a!z| before transmission to spreadsheet applications.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to the firstname field to prevent storage of malicious formula elements by authenticated users.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in Rukovoditel 3.3.1 by patching the lack of sanitization in user input handling for CSV exports.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The CSV injection vulnerability in the web application (public-facing, AV:N/PR:L) enables low-privileged authenticated users to exploit it for privilege escalation (T1068, T1190) by injecting malicious formulas into exported CSV files, facilitating arbitrary code execution via user opening of the malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

Deeper analysisAI

CVE-2023-53913 is a CSV injection vulnerability in Rukovoditel version 3.3.1. The flaw resides in the firstname field, where authenticated users can inject malicious formulas, such as =calc|a!z|, without proper sanitization. It is classified under CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its network reach, low complexity, and potential for significant impact.

An authenticated user with low privileges can exploit this by injecting a crafted payload into their firstname field during account creation or modification. The attack activates when an administrator exports customer data to a CSV file; upon opening the file in a spreadsheet application like Excel or LibreOffice, the injected formula executes arbitrary code on the administrator's local machine, potentially leading to full compromise.

Advisories and proof-of-concept exploits are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/51490), a Vulncheck advisory on the issue (https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export), and the vendor site (https://www.rukovoditel.net/). These resources detail the vulnerability but do not specify patch availability or mitigation steps in the provided information.

Details

CWE(s): CWE-1236

Affected Products

rukovoditel

3.3.1

CVEs Like This One

CVE-2026-31049Shared CWE-1236

CVE-2025-55745Shared CWE-1236

CVE-2024-45084Shared CWE-1236

CVE-2020-36962Shared CWE-1236

CVE-2026-35157Shared CWE-1236

CVE-2024-55532Shared CWE-1236

CVE-2025-50572Shared CWE-1236

CVE-2025-56267Shared CWE-1236

CVE-2026-23873Shared CWE-1236

CVE-2023-51333Shared CWE-1236

References

https://www.exploit-db.com/exploits/51490
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.rukovoditel.net/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export
Third Party Advisory, Exploit · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51490
Exploit, Third Party Advisory, VDB Entry · 134c704f-9b21-4f2e-91b3-4a467353bcc0