Login Sign Up

CVE-2023-51312

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

PHPJabbers Restaurant Booking System v3.0 contains a reflected cross-site scripting vulnerability in the Schedule section's date parameter. Attackers can inject malicious scripts that execute in victims' browsers when they click specially crafted links. This affects all users of the vulnerable version who access the Reservations menu.

💻 Affected Systems

Products:
  • PHPJabbers Restaurant Booking System
Versions: v3.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web interface component; requires user interaction to trigger via malicious link.

📦 What is this software?

Restaurant Booking System by Phpjabbers

View all CVEs affecting Restaurant Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application interface.

🟠

Likely Case

Attackers would typically use this to steal session cookies or credentials from authenticated users, potentially leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executed code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is technically simple with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If patch available, download and install. 3. Test functionality after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize date parameter input

Modify PHP code to validate date format and sanitize input before processing

Output Encoding

all

Implement proper output encoding for all user-controlled data

Use htmlspecialchars() or similar functions when outputting user data

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Restrict access to vulnerable interface to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test by injecting basic XSS payload into date parameter: ?date=<script>alert('XSS')</script>

Check Version:

Check system version in admin panel or readme files

Verify Fix Applied:

Test same payload after fix - should display as encoded text rather than executing script

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing script tags or JavaScript in date parameter
  • Unusual length or format in date parameter values

Network Indicators:

  • Malicious URLs containing script payloads being accessed

SIEM Query:

web.url:*date=*script* OR web.url:*date=*javascript*

📊 Metadata

CVE ID: CVE-2023-51312
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.17% exploit probability (38.5th percentile)
Published: February 20, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51312, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)