CVE-2023-53913

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 42.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Filters firstname field content during CSV export to neutralize formula injection payloads like =calc|a!z| before transmission to spreadsheet applications.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to the firstname field to prevent storage of malicious formula elements by authenticated users.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in Rukovoditel 3.3.1 by patching the lack of sanitization in user input handling for CSV exports.

Security SummaryAI

CVE-2023-53913 is a CSV injection vulnerability in Rukovoditel version 3.3.1. The flaw resides in the firstname field, where authenticated users can inject malicious formulas, such as =calc|a!z|, without proper sanitization. It is classified under CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its network reach, low complexity, and potential for significant impact.

An authenticated user with low privileges can exploit this by injecting a crafted payload into their firstname field during account creation or modification. The attack activates when an administrator exports customer data to a CSV file; upon opening the file in a spreadsheet application like Excel or LibreOffice, the injected formula executes arbitrary code on the administrator's local machine, potentially leading to full compromise.

Advisories and proof-of-concept exploits are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/51490), a Vulncheck advisory on the issue (https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export), and the vendor site (https://www.rukovoditel.net/). These resources detail the vulnerability but do not specify patch availability or mitigation steps in the provided information.

Details

CWE(s): CWE-1236

Affected Products

rukovoditel

3.3.1

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The CSV injection vulnerability in the web application (public-facing, AV:N/PR:L) enables low-privileged authenticated users to exploit it for privilege escalation (T1068, T1190) by injecting malicious formulas into exported CSV files, facilitating arbitrary code execution via user opening of the malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/51490
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.rukovoditel.net/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export
Third Party Advisory, Exploit · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51490
Exploit, Third Party Advisory, VDB Entry · 134c704f-9b21-4f2e-91b3-4a467353bcc0