Login Sign Up

CVE-2023-51313

8.8 HIGH
Remote Code Execution

📋 TL;DR

PHPJabbers Restaurant Booking System v3.0 has a CSV injection vulnerability that allows attackers to execute arbitrary code on the server. The vulnerability occurs when insufficient input validation in the Languages section allows malicious data to be included in exported CSV files. This affects all installations of the vulnerable version.

💻 Affected Systems

Products:
  • PHPJabbers Restaurant Booking System
Versions: v3.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of v3.0 are vulnerable. The vulnerability is in the System Options > Languages section.

📦 What is this software?

Restaurant Booking System by Phpjabbers

View all CVEs affecting Restaurant Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing remote code execution, data theft, and complete system control.

🟠

Likely Case

Data exfiltration, privilege escalation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and CSV sanitization in place.

🌐 Internet-Facing: HIGH - The system is typically internet-facing for restaurant booking functionality.
🏢 Internal Only: MEDIUM - Internal systems could still be affected if accessible to attackers.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the admin interface or compromised credentials. The vulnerability is in CSV export functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.1 or later

Vendor Advisory: https://www.phpjabbers.com/restaurant-booking-system/

Restart Required: No

Instructions:

1. Download latest version from PHPJabbers website. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Test functionality.

🔧 Temporary Workarounds

Input Validation Sanitization

all

Add input validation to sanitize CSV export data in the Languages section

Modify PHP code to escape special characters in CSV exports
Implement whitelist validation for label parameters

🧯 If You Can't Patch

  • Disable CSV export functionality in System Options
  • Implement web application firewall rules to block malicious CSV payloads

🔍 How to Verify

Check if Vulnerable:

Check if running v3.0 and test CSV export from Languages section with payloads like =cmd|' /C calc'!A0

Check Version:

Check admin panel or readme.txt file for version information

Verify Fix Applied:

Test CSV export functionality with malicious payloads after patching to ensure they are sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV export requests
  • Admin panel access with malicious payloads in parameters

Network Indicators:

  • CSV downloads containing formula injection payloads
  • Unusual outbound connections after CSV exports

SIEM Query:

source="web_logs" AND (uri="/admin/export_csv" OR uri="/admin/languages") AND (payload="=" OR payload="+" OR payload="-" OR payload="@")

📊 Metadata

CVE ID: CVE-2023-51313
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.26% exploit probability (48.7th percentile)
Published: February 20, 2025
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51313, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)