Platform
other
Component
movidesk
Fixed in
25.01.22.245a473c54
CVE-2025-0971 describes a cross-site scripting (XSS) vulnerability discovered in Zenvia Movidesk versions 25.01.0 to 25.01.22. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of the username parameter within the /Account/EditProfile endpoint. The vulnerability is rated as problematic and can be exploited remotely. A fix is available in version 25.01.22.245a473c54.
Successful exploitation of CVE-2025-0971 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Movidesk interface. The attacker could potentially gain access to sensitive user data or perform actions on behalf of the compromised user. Given the remote nature of the exploit, any user accessing the /Account/EditProfile endpoint is potentially at risk. The impact is amplified if Movidesk is used to manage sensitive data or control critical systems.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There is no immediate indication of active exploitation campaigns targeting CVE-2025-0971, but the availability of a public exploit significantly raises the risk. The vulnerability is not currently listed on the CISA KEV catalog. Further monitoring is recommended to assess the evolving threat landscape.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0971 is to immediately upgrade Movidesk to version 25.01.22.245a473c54 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the username parameter within the /Account/EditProfile endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor access logs for suspicious activity related to the /Account/EditProfile endpoint, looking for unusual characters or patterns in the username parameter.
Upgrade Movidesk to version 25.01.22.245a473c54 or later. This update fixes the Cross-Site Scripting (XSS) vulnerability in profile editing. It is recommended to perform the upgrade as soon as possible to prevent potential attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0971 is a cross-site scripting (XSS) vulnerability affecting Zenvia Movidesk versions 25.01.0 through 25.01.22, allowing attackers to inject malicious scripts.
You are affected if you are using Movidesk versions 25.01.0 to 25.01.22 and have not upgraded to version 25.01.22.245a473c54.
Upgrade Movidesk to version 25.01.22.245a473c54 or later. Implement input validation and consider using a WAF for temporary protection.
While there's no confirmed active exploitation, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the Zenvia Movidesk security advisories for details and updates regarding CVE-2025-0971.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.