KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
An attacker enters specially crafted data in the guest addition form field, containing characters that initiate formulas (e.g., =, +, -, @). This data is saved without proper sanitization and ends up in the CSV file generated by the application. When an authorized user (e.g., reception staff or administrator) exports the data and opens the file in a spreadsheet application, the embedded formula is automatically executed.
An attacker can cause malicious code to be executed on the workstation of a user opening an infected CSV file, as well as cause data theft or unauthorized execution of system commands in the context of the victim's privileges.
Patches available from the vendor should be applied according to the references. As a workaround, avoid opening exported CSV files with untrusted guest data in spreadsheet applications and implement input validation and sanitization on the application side.
KWHotel version 0.47
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKwhotel
APPKwhotel0.47