CVE-2023-51302
Published: 19 February 2025
Description
PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
Security Summary
CVE-2023-51302 is a CSV injection vulnerability in PHPJabbers Hotel Booking System version 4.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This enables attackers to embed malicious payloads into exported CSV content.
An unauthenticated attacker (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as an administrator opening the exported CSV file in a spreadsheet application like Excel. Successful exploitation leads to remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The issue maps to CWE-1236.
Advisories and details are available in references including the Packet Storm Security report at http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html and the vendor product page at https://www.phpjabbers.com/hotel-booking-system/#sectionDemo. Security practitioners should review these for recommended mitigations, such as input validation updates or restricting CSV exports.
Details
- CWE(s)