CVE-2023-51333 – PHPJabbers Cinema Booking System v1.0 has a CSV... (How to Fix)

Q: What is the severity of CVE-2023-51333?

CVE-2023-51333 has a CVSS score of 8.8 (HIGH). PHPJabbers Cinema Booking System v1.0 has a CSV injection vulnerability that allows attackers to execute arbitrary code on the server. This affects administrators who can access the System Options Languages section. Attackers can craft malicious CSV content that gets executed when exported.

📋 TL;DR

PHPJabbers Cinema Booking System v1.0 has a CSV injection vulnerability that allows attackers to execute arbitrary code on the server. This affects administrators who can access the System Options Languages section. Attackers can craft malicious CSV content that gets executed when exported.

💻 Affected Systems

Products:

PHPJabbers Cinema Booking System

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to System Options Languages section to exploit.

📦 What is this software?

Cinema Booking System by Phpjabbers

View all CVEs affecting Cinema Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited code execution within web application context, potentially allowing file system access, database manipulation, or further exploitation.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented, or if the vulnerable feature is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires authenticated admin access. Public proof-of-concept demonstrates CSV injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.1 or later

Vendor Advisory: https://www.phpjabbers.com/cinema-booking-system/

Restart Required: No

Instructions:

1. Download latest version from PHPJabbers website. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify CSV export functionality works without code injection.

🔧 Temporary Workarounds

Disable CSV Export

all

Remove or restrict access to CSV export functionality in System Options Languages section.

Input Validation

all

Implement server-side validation to sanitize CSV content and prevent formula injection.

🧯 If You Can't Patch

Restrict admin access to trusted IP addresses only
Implement web application firewall rules to block CSV formula injection patterns

🔍 How to Verify

Check if Vulnerable:

Test CSV export from System Options Languages section with payload like =cmd|' /C calc'!A0

Check Version:

Check version in admin panel or readme.txt file

Verify Fix Applied:

Attempt CSV injection with test payloads and verify they are properly sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export activity
Admin panel access from unexpected IPs
System command execution in web logs

Network Indicators:

HTTP POST requests to CSV export endpoints with formula-like payloads

SIEM Query:

web_requests WHERE url_path CONTAINS 'csv' AND request_body CONTAINS '=cmd' OR request_body CONTAINS '=HYPERLINK'

📊 Metadata

CVE ID: CVE-2023-51333

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1236

EPSS Score: 0.23% exploit probability (45.1th percentile)

Published: February 20, 2025

Last Updated: November 4, 2025

🔗 References

https://packetstorm.news/files/id/176511 Third Party Advisory,VDB Entry
https://www.phpjabbers.com/cinema-booking-system/#sectionDemo Product
http://packetstormsecurity.com/files/176511/PHPJabbers-Cinema-Booking-System-1.0-CSV-Injection.html
https://packetstorm.news/files/id/176511 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51333, you might also want to check these: