FreeScout Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.178. This issue arises from improper input validation and sanitization of user data in the conversation POST data body, allowing attackers to inject arbitrary HTML, including JavaScript, into pages viewed by users. Exploitation could lead to theft of sensitive information, hijacking of user sessions, or other malicious activities.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authorized user can send a POST request to the '/conversation/ajax' endpoint, including a payload in the 'body' parameter that contains JavaScript code, such as an image tag with an 'onerror' event. This request must be made with the appropriate headers to simulate a genuine user interaction, including a valid CSRF token and session cookie. Once the conversation is loaded, the injected script will execute in the user's browser.

Remediation

Users are advised to update FreeScout to version 1.8.178 or later. For general guidance on preventing cross-site scripting vulnerabilities, consult the OWASP Cross-Site Scripting Prevention Cheat Sheet.