CVE-2023-51333
Published: 20 February 2025
Description
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
Security Summary
CVE-2023-51333 is a CSV Injection vulnerability affecting PHPJabbers Cinema Booking System version 1.0. The flaw arises from insufficient input validation in the Languages section Labels any parameters field within System Options, where user-supplied data is used to construct CSV files. This issue, associated with CWE-1236, has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-20.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious payloads into the vulnerable field, the attacker can embed formulas or commands in the generated CSV file. When a higher-privileged user, like an administrator, exports and opens the CSV in a spreadsheet application, the payload executes remote code on the victim's system, potentially leading to high impacts on confidentiality, integrity, and availability.
Advisories referenced in PacketStorm (e.g., http://packetstormsecurity.com/files/176511/PHPJabbers-Cinema-Booking-System-1.0-CSV-Injection.html) detail the vulnerability and proof-of-concept, while the vendor's demo page (https://www.phpjabbers.com/cinema-booking-system/#sectionDemo) provides context on the affected software. No specific patches or mitigation steps from the vendor are mentioned in the available references.
Details
- CWE(s)