CVE-2023-51311
Published: 20 February 2025
Description
PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
Security Summary
CVE-2023-51311 is a CSV Injection vulnerability in PHPJabbers Car Park Booking System version 3.0. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This flaw, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit the vulnerability remotely with low complexity and no user interaction required. By injecting malicious payloads into the affected field, the attacker can embed executable formulas or commands in the resulting CSV file, potentially leading to remote code execution when the file is opened in a spreadsheet application like Microsoft Excel.
Packet Storm advisories, such as those at https://packetstorm.news/files/id/176494 and http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html, detail the vulnerability and proof-of-concept exploit. No patches or specific mitigations are described in the provided references.
Details
- CWE(s)