CVE-2023-51313

PHPJabbers Restaurant Booking System version 3.0 is affected by CVE-2023-51313, a CSV injection vulnerability stemming from insufficient input validation in the Languages section's Labels any parameters field within System Options. This flaw enables attackers to inject malicious payloads into data that is subsequently used to construct CSV files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and is associated with CWE-94 (Code Injection), potentially allowing remote code execution.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by submitting crafted input into the vulnerable field. Exploitation requires user interaction (UI:R), such as an administrator opening the generated CSV file in a spreadsheet application like Microsoft Excel, which interprets the injected formula or command. Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling remote code execution on the victim's system.

Advisories, including details from Packet Storm Security and the vendor's product page, highlight the vulnerability but do not specify patches or mitigations in the provided information. Security practitioners should review these references for exploit details and consider input sanitization or disabling CSV exports until remediation is confirmed.