CVE-2023-51301
Published: 19 February 2025
Description
A lack of rate limiting in the "Login Section, Forgot Email" feature of PHPJabbers Hotel Booking System v4.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service (DoS) via a large amount of generated e-mail messages.
Security Summary
CVE-2023-51301 affects the PHPJabbers Hotel Booking System version 4.0, specifically the "Login Section, Forgot Email" feature. The vulnerability arises from a lack of rate limiting, enabling attackers to send an excessive number of reset requests for a legitimate user account. This leads to a Denial of Service (DoS) condition through the generation of a large volume of email messages. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. By repeatedly submitting forgot-email reset requests targeting a valid user, they can overwhelm the system's email infrastructure, causing resource exhaustion and disrupting service availability.
Advisories on PacketStorm, including detailed reports and proof-of-concept exploits, document the missing rate limiting in the affected feature. References also include the vendor's demo page for the Hotel Booking System, though no specific patches or mitigation steps are detailed in the provided sources.
Details
- CWE(s)