Volerion logoVolerion
Volerion logoVolerion

FreeScout Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.180. The issue arises from improper validation and sanitization of user input, allowing an authorized user to upload an HTML file with malicious JavaScript to the server. This vulnerability requires the application to be hosted on Apache and can be exploited by deleting the .htaccess file to bypass restrictions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authorized user must first delete the .htaccess file, which removes restrictions on file uploads. Then, upload an HTML file containing malicious JavaScript through the application's upload feature. The injected script will be executed when the uploaded file is accessed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
1.7
exploitability
6.4
remediation
7.7
relevance
0.2
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.