Volerion logoVolerion
Volerion logoVolerion

FreeScout Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.181. The issue arises from improper validation of the 'last_name' and 'first_name' fields during profile updates, allowing users to inject arbitrary JavaScript. This injected script is executed in a flash message when the data is deleted. The vulnerability requires an authorized user to exploit, and can be exacerbated by disabling the Content Security Policy (CSP) feature, which is possible through another vulnerability in the application.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authorized user can update their profile by injecting JavaScript into the 'last_name' and 'first_name' fields. Once the data is saved and later deleted, the injected script will execute in a flash message.

Remediation

Users can update to FreeScout version 1.8.181 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
1.7
exploitability
6.5
remediation
7.7
relevance
0.1
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.