CVE-2023-51293
Published: 19 February 2025
Summary
CVE-2023-51293 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Phpjabbers Event Booking Calendar. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 requires denial-of-service protections such as rate limiting at system entry points, directly addressing the absence of rate limiting on forgot password and email settings features exploited for email flooding.
SC-6 mandates limits on resource allocation by process or user, preventing resource exhaustion in the email generation system triggered by excessive unauthenticated requests.
SC-14 enforces protections against DoS attacks on public interfaces, mitigating unauthenticated remote exploitation of the vulnerable forgot password and email settings endpoints.
NVD Description
A lack of rate limiting in the 'Forgot Password', 'Email Settings' feature of PHPJabbers Event Booking Calendar v4.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service (DoS) via…
more
a large amount of generated e-mail messages.
Deeper analysisAI
CVE-2023-51293 affects PHPJabbers Event Booking Calendar version 4.0, where a lack of rate limiting in the 'Forgot Password' and 'Email Settings' features enables attackers to generate an excessive volume of emails for a legitimate user. This uncontrolled resource consumption, classified under CWE-400, can lead to a Denial of Service (DoS) condition through the sheer number of emails produced. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its network-accessible nature and high availability impact.
Unauthenticated attackers (PR:N) can exploit this remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) by repeatedly triggering the affected features. Successful exploitation overwhelms the target's email generation and delivery systems, causing resource exhaustion and disrupting service availability without impacting confidentiality or integrity.
Advisories on PacketStorm (http://packetstormsecurity.com/files/176495/PHPJabbers-Event-Booking-Calendar-4.0-Missing-Rate-Limiting.html and https://packetstorm.news/files/id/176495) disclose the missing rate limiting, while the vendor's product page (https://www.phpjabbers.com/event-booking-calendar/#sectionDemo) provides demo access but no patch details in the available references.
Details
- CWE(s)