CVE-2023-51336

CVE-2023-51336 is a CSV injection vulnerability in PHPJabbers Meeting Room Booking System v1.0. The flaw arises from insufficient input validation in the Languages section's Labels any parameters field within System Options, where user-supplied data is used to construct CSV files without proper sanitization. This allows injection of malicious payloads, such as formulas, leading to remote code execution. The vulnerability is associated with CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By injecting crafted input into the affected field, the attacker can embed executable code in the resulting CSV file, which executes when opened in applications like spreadsheet software, achieving remote code execution with high impacts on confidentiality, integrity, and availability.

Advisories detailing the vulnerability, including a proof-of-concept, are available via PacketStormsecurity references such as https://packetstorm.news/files/id/176518 and http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html. The vendor's demo page at https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo provides additional context on the affected software, though no specific patches or mitigations are detailed in the provided information.