CVE-2023-53985
Unknown Unknown - Not Provided
Reflected XSS in Zippy CRM 6.5.4 Enables Script Injection

Publication date: 2026-01-13

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53985
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zippy zstore 6.5.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53985 is a reflected Cross-Site Scripting (XSS) vulnerability in Zstore (also known as Zippy CRM) version 6.5.4. It occurs because the application improperly handles user input at certain manual insertion points, allowing attackers to submit crafted payloads that are reflected back in the HTML response without proper sanitization or encoding. This enables attackers to inject and execute arbitrary JavaScript code in the victim's browser context when they visit a maliciously crafted URL or page, potentially leading to actions like session hijacking or defacement. [3, 4]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your browser when you interact with the vulnerable Zstore application. This can lead to session hijacking, theft of sensitive information, defacement of the web interface, or other malicious activities performed in the context of your user session. Because the attack requires user interaction (such as clicking a malicious link), it can be used in phishing or social engineering attacks to compromise user accounts or data. [3, 4]

Detection Guidance

This reflected XSS vulnerability in Zstore 6.5.4 can be detected by sending crafted HTTP GET requests to the vulnerable endpoint and checking if the payload is reflected unescaped in the response. For example, you can use curl to send a request with a malicious payload in the 'p' parameter and observe if the payload is executed or reflected in the response. A sample command is: curl -v "http://target/index.php?p=giflc<img src=a onerror=alert(1)>c0yu0". If the response contains the injected script without proper sanitization, the vulnerability is present. [3]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially those used in manual insertion points, to prevent injection of malicious scripts. Applying input encoding or escaping before reflecting data in HTML responses is critical. Additionally, updating to a fixed or newer version of Zippy CRM (if available) or applying patches that address this XSS vulnerability is recommended. As a temporary measure, implementing Web Application Firewall (WAF) rules to block suspicious payloads targeting the 'p' parameter can help reduce exploitation risk. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart