CVE-2023-51315 – PHPJabbers Restaurant Booking System v3.0 conta... (How to Fix)

Q: What is the severity of CVE-2023-51315?

CVE-2023-51315 has a CVSS score of 5.4 (MEDIUM). PHPJabbers Restaurant Booking System v3.0 contains multiple stored cross-site scripting (XSS) vulnerabilities in several parameters (seat_name, plugin_sms_api_key, plugin_sms_country_code, title, name). Attackers can inject malicious scripts that execute when other users view affected pages, potentially stealing session cookies or performing actions as authenticated users. This affects all installations of version 3.0.

📋 TL;DR

PHPJabbers Restaurant Booking System v3.0 contains multiple stored cross-site scripting (XSS) vulnerabilities in several parameters (seat_name, plugin_sms_api_key, plugin_sms_country_code, title, name). Attackers can inject malicious scripts that execute when other users view affected pages, potentially stealing session cookies or performing actions as authenticated users. This affects all installations of version 3.0.

💻 Affected Systems

Products:

PHPJabbers Restaurant Booking System

Versions: Version 3.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in multiple input parameters across the application. No special configuration is required for exploitation.

📦 What is this software?

Restaurant Booking System by Phpjabbers

View all CVEs affecting Restaurant Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full administrative access to the booking system, modify reservations, access customer data, or deploy additional malware.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, potentially compromising user accounts and accessing reservation data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access vulnerable input fields. Public proof-of-concept details are available in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If patch available, download and apply according to vendor instructions. 3. Test functionality after patching.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and HTML encoding for all user inputs, especially the vulnerable parameters.

Implement PHP htmlspecialchars() or htmlentities() on all output from affected parameters

Content Security Policy

all

Implement a strict Content Security Policy header to prevent execution of inline scripts.

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in affected parameters
Restrict access to the booking system admin interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Test input fields (seat_name, plugin_sms_api_key, plugin_sms_country_code, title, name) with XSS payloads like <script>alert('XSS')</script> and check if script executes when viewing the stored data.

Check Version:

Check application version in admin panel or review source code for version indicators

Verify Fix Applied:

After implementing fixes, test with same XSS payloads to confirm scripts no longer execute. Check that input is properly encoded in output.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests containing script tags or JavaScript in affected parameter names
Multiple failed login attempts followed by successful login and parameter manipulation

Network Indicators:

HTTP requests with script tags in parameter values
Outbound connections to suspicious domains from the booking system

SIEM Query:

source="web_logs" AND (param_name IN ("seat_name", "plugin_sms_api_key", "plugin_sms_country_code", "title", "name")) AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2023-51315

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.17% exploit probability (38.5th percentile)

Published: February 20, 2025

Last Updated: November 4, 2025

🔗 References

https://packetstorm.news/files/id/176493 Exploit,Third Party Advisory,VDB Entry
https://www.phpjabbers.com/restaurant-booking-system/#sectionDemo Product
http://packetstormsecurity.com/files/176493/PHPJabbers-Restaurant-Booking-System-3.0-Cross-Site-Scripting-HTML-Injection.html
https://packetstorm.news/files/id/176493 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51315, you might also want to check these: