CVE-2023-51319
Published: 20 February 2025
Description
PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
Security Summary
CVE-2023-51319 is a CSV Injection vulnerability in PHPJabbers Bus Reservation System version 1.1. The issue arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This flaw enables attackers to embed malicious payloads in exported CSV content.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening the CSV file in a spreadsheet application like Excel. Successful exploitation allows remote code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no change in scope (S:U). The vulnerability is associated with CWE-1236.
Advisories detailing the vulnerability are available from Packet Storm Security at https://packetstorm.news/files/id/176500 and http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html. The vendor's product page, including a demo section, is at https://www.phpjabbers.com/bus-reservation-system/#sectionDemo. No specific patch or mitigation guidance is detailed in the provided references.
Details
- CWE(s)