CVE-2023-51336

Vulnerability

A CSV injection vulnerability exists in PHPJabbers Meeting Room Booking System v1.0. The bug resides in the Languages section under System Options, where the labels parameter is used to construct CSV files. Insufficient input validation allows an attacker to inject malicious formulas into CSV cells [1].

Exploitation

An attacker must first gain administrative access to the system to reach the vulnerable Languages section in System Options. Once authenticated, the attacker can inject crafted input (e.g., a formula starting with =, +, -, or @) into the labels parameter. When the system generates a CSV file containing this input and an administrator or operator opens it in spreadsheet software (such as Microsoft Excel or LibreOffice Calc), the formula can execute arbitrary commands on the local machine [1].

Impact

Successful exploitation leads to remote code execution on the machine where the exported CSV file is opened. The attacker achieves command execution with the privileges of the user running the spreadsheet application, compromising the confidentiality, integrity, and availability of the local system [1].

Mitigation

No official patch has been released by PHPJabbers at the time of this writing. The vulnerability is publicly disclosed with no fixed version identified. As a workaround, administrators should avoid opening CSV files exported from the application in spreadsheet software until a fix is applied. Alternatively, sanitize exported CSV files by stripping or escaping formula-delimiting characters [1].