CVE-2023-51301

HighPublic PoC

Published: 19 February 2025

Published

19 February 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0023 46.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51301 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Phpjabbers Hotel Booking System. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly requires denial-of-service protections such as rate limiting on the public forgot-email feature to prevent excessive reset requests from causing email resource exhaustion.

SI-9 Information Input Restrictions partial match

prevent

Enforces input restrictions on forgot-email requests to limit volume and frequency, mitigating uncontrolled resource consumption from repeated submissions.

SC-6 Resource Availability partial match

prevent

Protects resource availability by allocating limits to email generation processes targeted by excessive forgot-email reset requests.

NVD Description

A lack of rate limiting in the "Login Section, Forgot Email" feature of PHPJabbers Hotel Booking System v4.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service (DoS)…

via a large amount of generated e-mail messages.

Deeper analysisAI

CVE-2023-51301 affects the PHPJabbers Hotel Booking System version 4.0, specifically the "Login Section, Forgot Email" feature. The vulnerability arises from a lack of rate limiting, enabling attackers to send an excessive number of reset requests for a legitimate user account. This leads to a Denial of Service (DoS) condition through the generation of a large volume of email messages. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. By repeatedly submitting forgot-email reset requests targeting a valid user, they can overwhelm the system's email infrastructure, causing resource exhaustion and disrupting service availability.

Advisories on PacketStorm, including detailed reports and proof-of-concept exploits, document the missing rate limiting in the affected feature. References also include the vendor's demo page for the Hotel Booking System, though no specific patches or mitigation steps are detailed in the provided sources.

Details

CWE(s): CWE-400

Affected Products

phpjabbers

hotel booking system

4.0

CVEs Like This One

CVE-2023-51302Same product: Phpjabbers Hotel Booking System

CVE-2023-51314Same vendor: Phpjabbers

CVE-2023-51293Same vendor: Phpjabbers

CVE-2023-51316Same vendor: Phpjabbers

CVE-2023-51313Same vendor: Phpjabbers

CVE-2024-57428Same vendor: Phpjabbers

CVE-2023-53926Same vendor: Phpjabbers

CVE-2024-57430Same vendor: Phpjabbers

CVE-2023-51333Same vendor: Phpjabbers

CVE-2023-51311Same vendor: Phpjabbers

References

https://packetstorm.news/files/id/176486
Exploit, Third Party Advisory, VDB Entry · cve@mitre.org
https://www.phpjabbers.com/hotel-booking-system/#sectionDemo
Product · cve@mitre.org
http://packetstormsecurity.com/files/176486/PHPJabbers-Hotel-Booking-System-4.0-Missing-Rate-Limiting.html
af854a3a-2127-422b-91ae-364da2661108