CVE-2023-51312 identifies a reflected Cross-Site Scripting (XSS) vulnerability in PHPJabbers Restaurant Booking System version 3.0. The vulnerability exists in the Reservations menu, specifically within the Schedule section's date parameter, where user-supplied input is not properly sanitized or encoded before being reflected in the web page response. This flaw allows an attacker with low privileges (PR:L) to craft a malicious URL containing a script payload in the date parameter, which, when clicked by a user, executes arbitrary JavaScript in the victim’s browser context. The attack requires user interaction (UI:R) and can lead to partial compromise of confidentiality and integrity (C:L/I:L), such as stealing session cookies, defacing content, or redirecting users to malicious sites. The vulnerability does not impact availability (A:N). The CVSS v3.1 base score is 5.4, indicating medium severity. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation. Given the nature of the vulnerability, it primarily targets web clients interacting with the booking system interface.

For European organizations, especially those in the hospitality sector using PHPJabbers Restaurant Booking System, this vulnerability poses risks to customer data confidentiality and integrity. Attackers could exploit the reflected XSS to hijack user sessions, steal sensitive booking information, or conduct phishing attacks by redirecting users to malicious websites. This can lead to reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. While the vulnerability does not affect system availability, the indirect consequences of successful exploitation could disrupt business operations and customer interactions. The medium severity score reflects a moderate risk that requires timely attention to prevent exploitation, particularly in countries with large hospitality industries and widespread use of PHPJabbers products.

Organizations should implement strict input validation and output encoding on the date parameter within the Reservations Schedule section to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Monitor web application logs for suspicious URL patterns targeting the date parameter. Since no official patches are currently available, consider applying virtual patching via Web Application Firewalls (WAF) to detect and block malicious payloads targeting this vulnerability. Educate staff and users about the risks of clicking on suspicious links. Regularly update and audit the PHPJabbers Restaurant Booking System for new releases or security advisories. Finally, conduct penetration testing focusing on XSS vectors to ensure the vulnerability is fully mitigated.