CVE-2023-53916
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2023-53916, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-17

Last updated on: 2025-12-27

Assigner: VulnCheck

Description

Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-17
Last Modified
2025-12-27
Generated
2026-07-06
AI Q&A
2025-12-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zenphoto zenphoto 1.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for malicious JavaScript payloads stored in the user postal code field via the admin-users.php interface in Zenphoto 1.6. Since it is a stored XSS, you can inspect the database entries for the postal code field for suspicious scripts. Additionally, monitoring HTTP requests to admin-users.php for unusual input patterns may help. Specific commands are not provided in the resources. [1]

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Zenphoto 1.6. It occurs in the user postal code field accessed via the admin-users.php interface. Malicious JavaScript code can be injected into the postal code field, and when administrators view this user information rendered as HTML, the injected script executes in their browser.

Impact Analysis

The vulnerability can lead to the execution of malicious JavaScript in the administrator's browser context. This can result in unauthorized actions performed with administrator privileges, theft of sensitive information such as session tokens, or other malicious activities that compromise the security of the system and its data.

Mitigation Strategies

Immediate mitigation steps include avoiding viewing user information in the admin interface until a patch is applied, sanitizing or validating input in the postal code field to prevent script injection, and applying any available updates or patches from Zenphoto. Restricting administrative access and educating administrators about the risk of executing malicious scripts can also help reduce impact. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53916. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart