FreeScout Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in FreeScout versions through 1.8.208. This issue arises from bypasses in the attachment view logic and the SVG sanitizer, allowing the upload and inline rendering of SVG files that execute malicious JavaScript. The vulnerability exploits the application's file handling by using a .png filename extension with a content type of image/svg+xml, circumventing restrictions on SVG uploads. Once uploaded, the SVG can execute scripts in the context of the user viewing the attachment.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript when accessed, potentially leading to unauthorized actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, upload an SVG file disguised as a PNG by using a .png extension and the content type image/svg+xml. The SVG should contain JavaScript payloads, such as an 'onload' event, to demonstrate the cross-site scripting effect. After uploading, access the file through the application to trigger the JavaScript execution.

Remediation

Users can update to FreeScout version 1.8.209, which addresses this vulnerability by improving the SVG sanitization process and adding a Content Security Policy header when displaying attachments.