PHPJabbers Car Park Booking System CSV Injection Vulnerability Allowing Remote Code Execution

A CSV injection vulnerability has been identified in PHPJabbers Car Park Booking System version 3.0. This vulnerability allows an attacker to execute remote code due to inadequate input validation in the Languages section, specifically within the Labels parameters of System Options used to generate CSV files. The issue arises in the Unique ID field of the Reservations list, which is also utilized for CSV file creation.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the Options Menu. Click on 'Language' and then select the 'Labels' section. Enter a CSV injection payload into any field and proceed to the Import/Export section. Click 'Export' and open the exported file to observe the effects of the injection.