CVE-2023-53985 | THREATINT

Description

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.

PUBLISHED Reserved 2025-12-20 | Published 2026-01-13 | Updated 2026-01-13 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

6.5.4

affected

Credits

nu11secur1ty finder

References

www.exploit-db.com/exploits/51207 (ExploitDB-51207) exploit

zippy.com.ua/ (Zstore/Zippy-CRM Product Homepage) product

github.com/leon-mbs/zstore (Zstore/Zippy-CRM GitHub Repository) product

github.com/...1secur1ty/tree/main/vendors/zippy/zstore-6.5.4 (Vulnerability Reproduction Repository) technical-description

www.vulncheck.com/...tore-reflected-cross-site-scripting-xss (VulnCheck Advisory: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)) third-party-advisory

cve.org (CVE-2023-53985)

nvd.nist.gov (CVE-2023-53985)

Download JSON