I have found a stored XSS in the Facebook Channel options at
The XSS is a result of improperly escaping Facebook Page names.
Create a facebook page with the following title/page name:
(I had to play around with this a bit to get it working correctly as Facebook has strict policies on the page name. If the page already exists, try to replace
Foobar with any other random string)
2. Create your own zendesk account and then go to
https://[your_zendesk].zendesk.com/agent/admin/facebook/facebook_auth to add a facebook page.
3. After adding the page created in Step 1, hover over the "Unlink" button to trigger the XSS. See also attached screenshot.
Obviously anyone with the permissions to add facebook pages can trigger this stored XSS and attack the admins with the usual XSS attacks.