CVE-2023-51336 – CVE-2023-51336 is a CSV injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2023-51336?

CVE-2023-51336 has a CVSS score of 8.8 (HIGH). CVE-2023-51336 is a CSV injection vulnerability in PHPJabbers Meeting Room Booking System v1.0 that allows attackers to execute remote code by injecting malicious formulas into CSV exports. This affects organizations using the vulnerable version of this booking system software. Attackers can exploit insufficient input validation in the Languages section's Labels parameters to achieve code execution.

📋 TL;DR

CVE-2023-51336 is a CSV injection vulnerability in PHPJabbers Meeting Room Booking System v1.0 that allows attackers to execute remote code by injecting malicious formulas into CSV exports. This affects organizations using the vulnerable version of this booking system software. Attackers can exploit insufficient input validation in the Languages section's Labels parameters to achieve code execution.

💻 Affected Systems

Products:

PHPJabbers Meeting Room Booking System

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when CSV export functionality is enabled.

📦 What is this software?

Meeting Room Booking System by Phpjabbers

View all CVEs affecting Meeting Room Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Data exfiltration, privilege escalation, or installation of backdoors through successful code execution.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing formula injection.

🌐 Internet-Facing: HIGH - Web application accessible from internet with direct attack vector via CSV export functionality.

🏢 Internal Only: MEDIUM - Internal users could exploit to pivot to other systems if application is internally accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires user interaction with CSV file but technical details are publicly available in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.1 or later

Vendor Advisory: https://www.phpjabbers.com/meeting-room-booking-system/

Restart Required: No

Instructions:

1. Download latest version from PHPJabbers website. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Test functionality.

🔧 Temporary Workarounds

Input Validation Sanitization

all

Implement strict input validation and output encoding for CSV export functionality

Modify PHP code to sanitize user input in /controllers/SystemOptionsController.php and related CSV generation files

🧯 If You Can't Patch

Disable CSV export functionality in System Options if not required
Implement web application firewall rules to block CSV injection patterns

🔍 How to Verify

Check if Vulnerable:

Check if running PHPJabbers Meeting Room Booking System v1.0 by examining version in admin panel or source code.

Check Version:

Check admin panel or examine /includes/version.php file for version information.

Verify Fix Applied:

Test CSV export functionality with malicious formula inputs (e.g., =cmd|' /C calc'!A0) to ensure proper sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export requests
Malicious formula patterns in input parameters
Unexpected system command execution

Network Indicators:

CSV file downloads containing formula patterns
Outbound connections from web server to unexpected destinations

SIEM Query:

source="web_logs" AND (uri="/index.php?controller=SystemOptions" OR filetype="csv") AND (pattern="=cmd|" OR pattern="=HYPERLINK" OR pattern="=EXEC")

📊 Metadata

CVE ID: CVE-2023-51336

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1236

EPSS Score: 0.23% exploit probability (45.1th percentile)

Published: February 20, 2025

Last Updated: November 4, 2025

🔗 References

https://packetstorm.news/files/id/176518 Third Party Advisory,VDB Entry
https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo Product
http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html
https://packetstorm.news/files/id/176518 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51336, you might also want to check these: