Cyber Resilience

CVE-2023-51293

HighPublic PoCDDoS

Published: 19 February 2025

Published
19 February 2025
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0023 46.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51293 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Phpjabbers Event Booking Calendar. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2023-51293 affects PHPJabbers Event Booking Calendar version 4.0, where a lack of rate limiting in the 'Forgot Password' and 'Email Settings' features enables attackers to generate an excessive volume of emails for a legitimate user. This uncontrolled resource consumption, classified under CWE-400, can lead to a Denial of Service (DoS) condition through the sheer number of emails produced. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its network-accessible nature and high availability impact.

Unauthenticated attackers (PR:N) can exploit this remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) by repeatedly triggering the affected features. Successful exploitation overwhelms the target's email generation and delivery systems, causing resource exhaustion and disrupting service availability without impacting confidentiality or integrity.

Advisories on PacketStorm (http://packetstormsecurity.com/files/176495/PHPJabbers-Event-Booking-Calendar-4.0-Missing-Rate-Limiting.html and https://packetstorm.news/files/id/176495) disclose the missing rate limiting, while the vendor's product page (https://www.phpjabbers.com/event-booking-calendar/#sectionDemo) provides demo access but no patch details in the available references.

EU & UK References

Vulnerability details

A lack of rate limiting in the 'Forgot Password', 'Email Settings' feature of PHPJabbers Event Booking Calendar v4.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service (DoS) via…

more

a large amount of generated e-mail messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Missing rate limiting in password reset/email features directly enables application exhaustion flood DoS (T1499.003) via repeated unauthenticated triggers causing resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51301Same vendor: Phpjabbers
CVE-2023-51316Same vendor: Phpjabbers
CVE-2023-51314Same vendor: Phpjabbers
CVE-2026-4726Shared CWE-400
CVE-2025-21545Shared CWE-400
CVE-2026-36958Shared CWE-400
CVE-2026-6780Shared CWE-400
CVE-2024-56940Shared CWE-400
CVE-2026-26937Shared CWE-400
CVE-2025-2586Shared CWE-400

Affected Assets

phpjabbers
event booking calendar
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 requires denial-of-service protections such as rate limiting at system entry points, directly addressing the absence of rate limiting on forgot password and email settings features exploited for email flooding.

prevent

SC-6 mandates limits on resource allocation by process or user, preventing resource exhaustion in the email generation system triggered by excessive unauthenticated requests.

prevent

SC-14 enforces protections against DoS attacks on public interfaces, mitigating unauthenticated remote exploitation of the vulnerable forgot password and email settings endpoints.

References