Cyber Resilience

CVE-2023-51314

HighPublic PoCDDoS

Published: 20 February 2025

Published
20 February 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0023 46.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51314 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Phpjabbers Restaurant Booking System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2023-51314 affects the PHPJabbers Restaurant Booking System version 3.0, where a lack of rate limiting in the 'Forgot Password' and 'Email Settings' features enables attackers to trigger an excessive volume of emails for legitimate users. This flaw leads to a Denial of Service (DoS) condition through the generation of a large number of email messages, consuming server resources. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).

Unauthenticated attackers with network access can exploit this issue remotely and with low complexity, requiring no user interaction. By repeatedly abusing the affected features, they can inundate the target system or its email infrastructure with messages tied to valid user accounts, resulting in high-impact availability disruption without affecting confidentiality or integrity.

Details on the vulnerability, including proof-of-concept information, are documented in advisories hosted on PacketStormsecurity.com (e.g., http://packetstormsecurity.com/files/176496/PHPJabbers-Restaurant-Booking-System-3.0-Missing-Rate-Limiting.html). No patches or specific mitigations are detailed in the available references; affected users should monitor the vendor's site (https://www.phpjabbers.com/restaurant-booking-system/#sectionDemo) for updates and consider implementing custom rate limiting on email-related endpoints.

EU & UK References

Vulnerability details

A lack of rate limiting in the 'Forgot Password', 'Email Settings' feature of PHPJabbers Restaurant Booking System v3.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service (DoS) via…

more

a large amount of generated e-mail messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
T1667 Email Bombing Impact
Adversaries may flood targeted email addresses with an overwhelming volume of messages.
Why these techniques?

Missing rate limiting on forgot-password/email features directly enables application exhaustion flood via repeated unauthenticated requests (T1499.003) and email bombing (T1667) resulting in DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-51313Same product: Phpjabbers Restaurant Booking System
CVE-2023-51316Same vendor: Phpjabbers
CVE-2023-51301Same vendor: Phpjabbers
CVE-2023-51293Same vendor: Phpjabbers
CVE-2023-53926Same vendor: Phpjabbers
CVE-2026-4726Shared CWE-400
CVE-2024-57430Same vendor: Phpjabbers
CVE-2025-21545Shared CWE-400
CVE-2026-36958Shared CWE-400
CVE-2026-6780Shared CWE-400

Affected Assets

phpjabbers
restaurant booking system
3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by implementing denial-of-service protections such as rate limiting on forgot password and email settings endpoints to prevent excessive email generation.

prevent

Protects against uncontrolled resource consumption by allocating limits on resources used for email processing triggered by repeated requests.

prevent

Enforces boundary protections including rate limiting and traffic controls to block floods of requests targeting the vulnerable public features.

References