CVE-2023-51314
Published: 20 February 2025
Summary
CVE-2023-51314 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Phpjabbers Restaurant Booking System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2023-51314 affects the PHPJabbers Restaurant Booking System version 3.0, where a lack of rate limiting in the 'Forgot Password' and 'Email Settings' features enables attackers to trigger an excessive volume of emails for legitimate users. This flaw leads to a Denial of Service (DoS) condition through the generation of a large number of email messages, consuming server resources. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).
Unauthenticated attackers with network access can exploit this issue remotely and with low complexity, requiring no user interaction. By repeatedly abusing the affected features, they can inundate the target system or its email infrastructure with messages tied to valid user accounts, resulting in high-impact availability disruption without affecting confidentiality or integrity.
Details on the vulnerability, including proof-of-concept information, are documented in advisories hosted on PacketStormsecurity.com (e.g., http://packetstormsecurity.com/files/176496/PHPJabbers-Restaurant-Booking-System-3.0-Missing-Rate-Limiting.html). No patches or specific mitigations are detailed in the available references; affected users should monitor the vendor's site (https://www.phpjabbers.com/restaurant-booking-system/#sectionDemo) for updates and consider implementing custom rate limiting on email-related endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56035
Vulnerability details
A lack of rate limiting in the 'Forgot Password', 'Email Settings' feature of PHPJabbers Restaurant Booking System v3.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service (DoS) via…
more
a large amount of generated e-mail messages.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing rate limiting on forgot-password/email features directly enables application exhaustion flood via repeated unauthenticated requests (T1499.003) and email bombing (T1667) resulting in DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by implementing denial-of-service protections such as rate limiting on forgot password and email settings endpoints to prevent excessive email generation.
Protects against uncontrolled resource consumption by allocating limits on resources used for email processing triggered by repeated requests.
Enforces boundary protections including rate limiting and traffic controls to block floods of requests targeting the vulnerable public features.