Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) | Advisories

Advisories

Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)

severity: medium
date: January 13, 2026
Affecting: Zstore 6.5.4
CVE: CVE-2023-53985
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51207
Zstore/Zippy-CRM Product Homepage
Zstore/Zippy-CRM GitHub Repository
Vulnerability Reproduction Repository
Credit: nu11secur1ty
Description: Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.