CVE-2023-53985
Unknown Unknown - Not Provided
Reflected XSS in Zippy CRM 6.5.4 Enables Script Injection

Publication date: 2026-01-13

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53985
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zippy zstore 6.5.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2023-53985 is a reflected Cross-Site Scripting (XSS) vulnerability in Zstore (also known as Zippy CRM) version 6.5.4. It occurs because the application improperly handles user input at certain manual insertion points, allowing attackers to submit crafted payloads that are reflected back in the HTML response without proper sanitization or encoding. This enables attackers to inject and execute arbitrary JavaScript code in the victim's browser context when they visit a maliciously crafted URL or page, potentially leading to actions like session hijacking or defacement. [3, 4]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your browser when you interact with the vulnerable Zstore application. This can lead to session hijacking, theft of sensitive information, defacement of the web interface, or other malicious activities performed in the context of your user session. Because the attack requires user interaction (such as clicking a malicious link), it can be used in phishing or social engineering attacks to compromise user accounts or data. [3, 4]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This reflected XSS vulnerability in Zstore 6.5.4 can be detected by sending crafted HTTP GET requests to the vulnerable endpoint and checking if the payload is reflected unescaped in the response. For example, you can use curl to send a request with a malicious payload in the 'p' parameter and observe if the payload is executed or reflected in the response. A sample command is: curl -v "http://target/index.php?p=giflc<img src=a onerror=alert(1)>c0yu0". If the response contains the injected script without proper sanitization, the vulnerability is present. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and validating all user inputs, especially those used in manual insertion points, to prevent injection of malicious scripts. Applying input encoding or escaping before reflecting data in HTML responses is critical. Additionally, updating to a fixed or newer version of Zippy CRM (if available) or applying patches that address this XSS vulnerability is recommended. As a temporary measure, implementing Web Application Firewall (WAF) rules to block suspicious payloads targeting the 'p' parameter can help reduce exploitation risk. [3, 4]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart