A critical cross-site scripting (XSS) vulnerability has been identified in the Movary web application. Attackers can exploit this flaw by crafting a malicious link which, if clicked by a user, can execute arbitrary code in their browser, potentially leading to account takeover, data theft, and further attacks. Due to the critical severity, immediate patching is required to prevent compromise.

The vulnerability is a reflected Cross-Site Scripting (XSS) weakness in the Movary application. Due to insufficient input sanitization of the ?categoryCreated= URL parameter, an attacker can inject malicious JavaScript code. An attacker can craft a specific URL containing a malicious script and trick a logged-in user into clicking it. When the victim visits the link, the malicious script is reflected from the server and executed within the context of the victim's browser session, granting the attacker the ability to steal session cookies, perform actions on behalf of the user, or deface the web application's content for that user.

This vulnerability is rated as critical severity with a CVSS score of 9.3, indicating a significant risk to the organization. Successful exploitation could lead to the compromise of user and administrative accounts, resulting in the theft of sensitive user data, including personal watch history and account information. An attacker could perform unauthorized actions, such as modifying user data or deleting records, leading to a loss of data integrity. Such an incident could cause significant reputational damage and a loss of user trust in the platform.

Immediate Action: Immediately upgrade all instances of the Movary application to version 0.70.0 or newer, as this version contains the necessary patch to validate the vulnerable parameter and prevent the XSS attack. After upgrading, it is crucial to review access logs for any signs of past exploitation attempts.

Proactive Monitoring: Security teams should configure monitoring to detect and alert on exploitation attempts. Specifically, review web server and application logs for URLs containing HTML or JavaScript syntax (e.g., <script>, onerror=, alert()) within the ?categoryCreated= parameter. Monitor for unusual or unauthorized changes to user accounts that may indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) as a compensating control. Configure the WAF with rulesets designed to detect and block common XSS attack patterns in HTTP GET requests, which can help mitigate this specific threat until the application can be patched.

Public Exploit Available: false

Given the critical CVSS score of 9.3, this vulnerability presents a high risk and should be addressed immediately. We strongly recommend that all affected Movary instances be upgraded to version 0.70.0 or later without delay. Although this vulnerability is not currently listed on the CISA KEV list, its high severity and potential for user account compromise make it a priority for remediation. Organizations should treat this as an urgent threat and apply the recommended patch to prevent potential exploitation.