Primary

Context

FreeScout Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.180. This issue arises from improper input validation and sanitization, allowing authenticated users to inject arbitrary HTML, including JavaScript, into customer profile updates. Exploitation of this vulnerability could lead to the theft of sensitive information, hijacking of user sessions, or other malicious activities.

Impact

Exploitation allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user can access the profile editing page of any customer. While on this page, the user can inject a script into the 'first_name' or 'last_name' fields. After submitting the form, the injected script will be executed when the profile is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FreeScout Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

FreeScout

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating