Login Sign Up

CVE-2023-53916

4.6 MEDIUM
Cross-Site Scripting

📋 TL;DR

Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field. When administrators view user information, malicious JavaScript injected into postal code fields executes in their browser context. This affects Zenphoto administrators who manage user data.

💻 Affected Systems

Products:
  • Zenphoto
Versions: 1.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access to exploit initially, but affects all administrators viewing user data.

📦 What is this software?

Zenphoto by Zenphoto

View all CVEs affecting Zenphoto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full system takeover, data theft, or malware deployment across the Zenphoto installation.

🟠

Likely Case

Session hijacking of administrator accounts, unauthorized actions performed by attackers, or data exfiltration from the admin interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting individual admin sessions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin privileges to inject payload initially, but then affects all administrators viewing user data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.1 or later

Vendor Advisory: https://www.zenphoto.org/news/zenphoto-1.6/

Restart Required: No

Instructions:

1. Backup your Zenphoto installation and database. 2. Download Zenphoto 1.6.1 or later from the official website. 3. Replace all files with the new version, preserving your configuration and uploads. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize postal code input before storage

Edit admin-users.php to add postal code sanitization: $postal_code = htmlspecialchars($_POST['postal_code'], ENT_QUOTES, 'UTF-8');

Output Encoding

all

Ensure all user data displayed in admin interface is properly HTML-encoded

Modify user display templates to use: echo htmlspecialchars($user['postal_code'], ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

  • Restrict admin user creation/modification to trusted personnel only
  • Implement web application firewall rules to block suspicious postal code patterns

🔍 How to Verify

Check if Vulnerable:

Check Zenphoto version in admin dashboard or by examining the version.php file

Check Version:

grep "define('ZENPHOTO_VERSION'" zp-core/version.php

Verify Fix Applied:

Test postal code field with XSS payloads like <script>alert('test')</script> and verify they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual postal code entries containing HTML/script tags in user management logs
  • Multiple failed login attempts followed by user profile modifications

Network Indicators:

  • HTTP POST requests to admin-users.php with script tags in postal code parameter

SIEM Query:

source="web_logs" AND uri="/admin-users.php" AND postal_code="*<script>*"

📊 Metadata

CVE ID: CVE-2023-53916
CVSS v3 Score: 4.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: December 17, 2025
Last Updated: December 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53916, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)