CVE-2023-43147 in Limo Booking Softwareinfo

Summary

by MITRE • 10/25/2023

PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/03/2026

The vulnerability identified as CVE-2023-43147 affects PHPJabbers Limo Booking Software version 1.0 and represents a critical Cross Site Request Forgery flaw that enables unauthorized users to perform administrative actions on behalf of legitimate users without their knowledge or consent. This vulnerability specifically targets the user management functionality of the application, making it particularly dangerous as it could allow attackers to escalate privileges and gain full administrative control over the booking system. The flaw exists within the index.php?controller=pjAdminUsers&action=pjActionCreate URI endpoint, which handles user creation requests.

The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF token validation within the user creation form. When an authenticated administrator visits a malicious website or clicks on a crafted link, the attacker can leverage the existing session cookie to submit a forged request to the vulnerable endpoint. This occurs because the application fails to implement mandatory CSRF protection mechanisms such as unique tokens that would validate the authenticity of requests originating from legitimate user sessions. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications.

The operational impact of this vulnerability is severe as it allows attackers to create new administrative user accounts with elevated privileges, potentially leading to complete system compromise. An attacker could use this flaw to add themselves as an administrator, gain access to sensitive booking data, modify existing user accounts, or even delete critical system information. The attack requires minimal technical expertise since it exploits the inherent trust relationship between the web application and authenticated users, making it particularly dangerous in environments where administrators frequently visit untrusted websites. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1078 Valid Accounts and T1531 Account Access Removal, as it enables unauthorized account creation and potential privilege escalation.

Mitigation strategies for this vulnerability should include immediate implementation of anti-CSRF token mechanisms within all administrative forms, particularly the user creation endpoint. The application should generate unique, cryptographically secure tokens for each user session and validate these tokens on every state-changing request. Additionally, implementing proper session management with secure cookie attributes, enforcing same-site cookie policies, and adding request origin validation would significantly reduce the attack surface. Organizations should also conduct regular security assessments of web applications to identify similar vulnerabilities, as this flaw demonstrates the importance of proper input validation and request authenticity verification. The fix should follow OWASP Top Ten security recommendations for CSRF protection, ensuring that all administrative functions require proper authentication tokens to prevent unauthorized modifications to system user configurations.

Reservation

09/18/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00486

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!