Login Sign Up

CVE-2023-51323

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability allows attackers to send excessive password reset emails to legitimate users by exploiting missing rate limiting in the Forgot Password feature. This can lead to denial of service through email flooding. Organizations using PHPJabbers Shared Asset Booking System v1.0 are affected.

💻 Affected Systems

Products:
  • PHPJabbers Shared Asset Booking System
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific version mentioned; other versions may have different security implementations.

📦 What is this software?

Shared Asset Booking System by Phpjabbers

View all CVEs affecting Shared Asset Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete email system disruption for targeted users, potential email server overload, and service unavailability for legitimate password reset requests.

🟠

Likely Case

Targeted users receive hundreds of password reset emails, causing inbox flooding and temporary service disruption for those users.

🟢

If Mitigated

Minimal impact with proper rate limiting and email monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and can be performed with simple HTTP requests to the password reset endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Rate Limiting

all

Add rate limiting to the Forgot Password endpoint to restrict requests per IP/user.

Modify PHP code to track requests and implement delays or blocks after threshold

Web Application Firewall Rule

all

Configure WAF to limit requests to the password reset endpoint.

Add rule: Rate limit POST requests to /forgot-password endpoint

🧯 If You Can't Patch

  • Disable the Forgot Password feature if not essential
  • Implement network-level rate limiting at the firewall or load balancer

🔍 How to Verify

Check if Vulnerable:

Test by sending multiple password reset requests to the same email address from the same IP within a short timeframe.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

After implementing rate limiting, verify that excessive password reset requests are blocked or delayed.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed password reset attempts from same IP
  • Unusual spike in password reset email generation

Network Indicators:

  • High volume of POST requests to password reset endpoint
  • Repeated requests with same parameters

SIEM Query:

source="web_logs" AND (uri_path="/forgot-password" OR uri_path="/password-reset") AND status=200 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-51323
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-290
EPSS Score: 0.15% exploit probability (35.4th percentile)
Published: February 20, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51323, you might also want to check these:

CVE-2025-66570 10.0

This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT,...

Same vulnerability type (CWE-290)
CVE-2022-2310 10.0

CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that all...

Same vulnerability type (CWE-290)
CVE-2020-26276 10.0

This vulnerability allows attackers to modify trusted SAML responses in Fleet osquery manager, enabl...

Same vulnerability type (CWE-290)