Cross Site Scripting Vulnerability in Zenvia Movidesk Profile Editing Functionality
CVE-2025-0971

5.3MEDIUM

Key Information:

Vendor

Zenvia

Status
Movidesk
Vendor
CVE Published:
3 February 2025

What is CVE-2025-0971?

A cross site scripting (XSS) vulnerability has been identified in the Zenvia Movidesk profile editing functionality, specifically in the /Account/EditProfile file. This issue arises from improper handling of the 'username' argument, which can be manipulated by an attacker to inject malicious scripts. The exploitation of this vulnerability can be performed remotely, posing a significant risk to users. It is crucial for those using affected versions up to 25.01.22 to upgrade to version 25.01.22.245a473c54 to mitigate the risks associated with this vulnerability.

Affected Version(s)

Movidesk 25.01.0

Movidesk 25.01.1

Movidesk 25.01.2

References

https://vuldb.com/?id.294362
vdb-entrytechnical-description
https://vuldb.com/?ctiid.294362
signaturepermissions-required
https://vuldb.com/?submit.486023
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.