FreeScout Cross-Site Scripting Vulnerability in Translations Feature

A stored cross-site scripting (XSS) vulnerability has been identified in FreeScout versions prior to 1.8.180. This issue arises in the translations feature, where improper input validation allows users to inject malicious payloads. Specifically, when creating a translation of a phrase that appears in a flash message after an action, an attacker could exploit this vulnerability by injecting HTML or JavaScript. The injected script could then be executed in the context of the user's browser, potentially leading to session hijacking or data theft.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authorized user with administrative privileges can create a translation for a phrase that is displayed in a flash notification. During the translation process, the user can inject a script payload into the translation value. Once the translation is published, the injected script will be executed when the flash message is displayed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.