CVE-2023-51301 – This vulnerability allows attackers to send unl... (How to Fix)

Q: What is the severity of CVE-2023-51301?

CVE-2023-51301 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to send unlimited password reset requests for legitimate users in PHPJabbers Hotel Booking System v4.0, potentially causing denial of service through email spam. Any organization using this specific version of the hotel booking system is affected. The attack requires no authentication and can target any user with an email address in the system.

📋 TL;DR

This vulnerability allows attackers to send unlimited password reset requests for legitimate users in PHPJabbers Hotel Booking System v4.0, potentially causing denial of service through email spam. Any organization using this specific version of the hotel booking system is affected. The attack requires no authentication and can target any user with an email address in the system.

💻 Affected Systems

Products:

PHPJabbers Hotel Booking System

Versions: Version 4.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 4.0 are vulnerable regardless of configuration. The vulnerability is in the core application code.

📦 What is this software?

Hotel Booking System by Phpjabbers

View all CVEs affecting Hotel Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete email system disruption for targeted users, potential email server overload, and service unavailability for legitimate password reset requests.

🟠

Likely Case

Targeted users receive hundreds of password reset emails, causing inbox flooding and temporary inability to access legitimate emails.

🟢

If Mitigated

Limited impact with proper rate limiting, where only a few reset emails can be sent per user within a time window.

🌐 Internet-Facing: HIGH - The vulnerable feature is typically internet-facing in hotel booking systems, allowing remote exploitation without authentication.

🏢 Internal Only: LOW - This is primarily an internet-facing application vulnerability, though internal users could also be targeted if the system is accessible internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only basic HTTP request knowledge and can be automated with simple scripts. No special tools or advanced skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.1 or later

Vendor Advisory: https://www.phpjabbers.com/hotel-booking-system/

Restart Required: No

Instructions:

1. Download latest version from PHPJabbers website. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Test functionality. No server restart required.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF) Rules

all

Configure WAF to rate limit requests to the forgot email endpoint

Modify Application Code

php

Add rate limiting logic to the forgot email function in PHP code

// Add session-based or IP-based request counting with time limits

🧯 If You Can't Patch

Implement network-level rate limiting at firewall or load balancer for requests to /index.php?controller=pjUser&action=pjActionForgot
Monitor email server logs for unusual volume of password reset emails and implement alerting

🔍 How to Verify

Check if Vulnerable:

Test by sending multiple consecutive POST requests to the forgot email endpoint without delay and check if all generate emails

Check Version:

Check admin panel or view source code for version information, typically in footer or configuration files

Verify Fix Applied:

After patching, attempt same test - only first request should succeed, subsequent requests should be blocked or delayed

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to pjActionForgot from same IP in short timeframe
Unusual volume of password reset email generation in mail logs

Network Indicators:

High frequency of requests to /index.php?controller=pjUser&action=pjActionForgot
Pattern of repeated forgot password attempts

SIEM Query:

source="web_logs" AND uri="/index.php?controller=pjUser&action=pjActionForgot" | stats count by src_ip | where count > 5

📊 Metadata

CVE ID: CVE-2023-51301

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.49% exploit probability (64.9th percentile)

Published: February 19, 2025

Last Updated: November 4, 2025

🔗 References

https://packetstorm.news/files/id/176486 Exploit,Third Party Advisory,VDB Entry
https://www.phpjabbers.com/hotel-booking-system/#sectionDemo Product
http://packetstormsecurity.com/files/176486/PHPJabbers-Hotel-Booking-System-4.0-Missing-Rate-Limiting.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51301, you might also want to check these: