プラットフォーム
other
コンポーネント
movidesk
修正版
25.01.22.245a473c54
CVE-2025-0971 describes a cross-site scripting (XSS) vulnerability discovered in Zenvia Movidesk versions 25.01.0 to 25.01.22. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of the username parameter within the /Account/EditProfile endpoint. The vulnerability is rated as problematic and can be exploited remotely. A fix is available in version 25.01.22.245a473c54.
Successful exploitation of CVE-2025-0971 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Movidesk interface. The attacker could potentially gain access to sensitive user data or perform actions on behalf of the compromised user. Given the remote nature of the exploit, any user accessing the /Account/EditProfile endpoint is potentially at risk. The impact is amplified if Movidesk is used to manage sensitive data or control critical systems.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There is no immediate indication of active exploitation campaigns targeting CVE-2025-0971, but the availability of a public exploit significantly raises the risk. The vulnerability is not currently listed on the CISA KEV catalog. Further monitoring is recommended to assess the evolving threat landscape.
Organizations using Movidesk for remote access and support are particularly at risk, especially those with legacy configurations or shared hosting environments. Users who frequently modify their profile information through the /Account/EditProfile endpoint are also directly exposed.
• linux / server:
journalctl -u movidesk -f | grep -i 'username='• generic web:
curl -s 'https://<movidesk_server>/Account/EditProfile?username=<malicious_script>' | grep -i '<script>' # Check for script injection in responsedisclosure
エクスプロイト状況
EPSS
0.17% (38% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-0971 is to immediately upgrade Movidesk to version 25.01.22.245a473c54 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the username parameter within the /Account/EditProfile endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor access logs for suspicious activity related to the /Account/EditProfile endpoint, looking for unusual characters or patterns in the username parameter.
Actualice Movidesk a la versión 25.01.22.245a473c54 o posterior. Esta actualización corrige la vulnerabilidad de Cross-Site Scripting (XSS) en la edición de perfiles. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-0971 is a cross-site scripting (XSS) vulnerability affecting Zenvia Movidesk versions 25.01.0 through 25.01.22, allowing attackers to inject malicious scripts.
You are affected if you are using Movidesk versions 25.01.0 to 25.01.22 and have not upgraded to version 25.01.22.245a473c54.
Upgrade Movidesk to version 25.01.22.245a473c54 or later. Implement input validation and consider using a WAF for temporary protection.
While there's no confirmed active exploitation, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the Zenvia Movidesk security advisories for details and updates regarding CVE-2025-0971.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。