Login Sign Up

CVE-2023-51334

5.3 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability allows attackers to send excessive password reset emails to legitimate users by exploiting missing rate limiting in the 'Forgot Password' feature. This can lead to denial of service through email spam and potential email server overload. All installations of PHPJabbers Cinema Booking System v1.0 are affected.

💻 Affected Systems

Products:
  • PHPJabbers Cinema Booking System
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the 'Forgot Password' feature enabled and accessible.

📦 What is this software?

Cinema Booking System by Phpjabbers

View all CVEs affecting Cinema Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete email server disruption due to massive email volume, legitimate users locked out of password recovery, and potential secondary attacks if email infrastructure is shared.

🟠

Likely Case

Targeted users receive hundreds of password reset emails, causing inbox flooding and temporary service disruption for affected individuals.

🟢

If Mitigated

Minimal impact with proper rate limiting and email monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST requests to the password reset endpoint can trigger unlimited emails.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer versions if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Rate Limiting

all

Add rate limiting to the password reset endpoint to restrict requests per IP/user.

Modify /includes/forgot_password.php to add request counting and delays

Disable Password Reset Feature

all

Temporarily disable the vulnerable 'Forgot Password' functionality.

Comment out or remove the password reset form and endpoint

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to limit requests to the password reset endpoint
  • Monitor email server logs for abnormal password reset email volumes

🔍 How to Verify

Check if Vulnerable:

Test by sending multiple password reset requests to the same email address from the same IP within a short timeframe.

Check Version:

Check the system version in the admin panel or read the version file if present.

Verify Fix Applied:

After implementing rate limiting, verify that multiple rapid password reset requests are blocked or delayed.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to password reset endpoint from same IP
  • Abnormal email sending volume in mail server logs

Network Indicators:

  • High volume of HTTP POST requests to /forgot-password or similar endpoints

SIEM Query:

source="web_logs" AND (uri_path="/forgot-password" OR uri_path="/reset-password") AND count() > 10 within 1 minute

📊 Metadata

CVE ID: CVE-2023-51334
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-770
EPSS Score: 0.26% exploit probability (49.4th percentile)
Published: February 20, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51334, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)