FreeScout Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.180. This issue arises from inadequate validation and sanitization of user input, allowing attackers to inject arbitrary HTML, including JavaScript, into pages viewed by other users. Exploitation could lead to the theft of sensitive information, hijacking of user sessions, or other malicious activities. The vulnerability affects users with permission to edit mailbox titles, and can be triggered by system administrators when the Content Security Policy feature is disabled.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authorized user with permission to edit mailbox titles can send a POST request to the '/mailbox/settings/' endpoint. The request must include a malicious payload in the 'name' field, such as an image tag with an 'onerror' event. Once the payload is injected, it will be executed when the mailbox details are viewed, triggering the cross-site scripting vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.