Primary

Context

PHPJabbers Hotel Booking System CSV Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A CSV injection vulnerability has been identified in PHPJabbers Hotel Booking System version 4.0. This vulnerability allows an attacker to execute remote code due to inadequate input validation in the Languages section, specifically within the Labels parameters of the System Options. The flawed validation process is exploited when constructing CSV files, creating a vector for code execution.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, log into the admin panel of PHPJabbers Hotel Booking System version 4.0. Navigate to the Options Menu, then select Language and click on the Labels section. Insert a CSV injection payload into any field. Afterward, go to the Import/Export section, click export, and open the exported file. The injected payload will execute at this stage.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PHPJabbers Hotel Booking System CSV Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

PHPJabbers Hotel Booking System

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating