FreeScout Stored Cross-Site Scripting Vulnerability in Email Notification Templates

A stored cross-site scripting vulnerability has been identified in FreeScout, a help desk and shared inbox application built on PHP's Laravel framework. This issue affects versions through 1.8.208. The vulnerability arises because incoming email bodies are saved in the database without proper sanitization and are later rendered unescaped in outgoing email notifications using Blade's raw output syntax. An unauthenticated attacker can exploit this by sending an email with a malicious payload, which, when opened by a subscribed agent or admin, injects HTML or JavaScript that could be executed in vulnerable email clients, leading to session hijacking or credential theft. This vulnerability impacts all recipients of the notification email simultaneously.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user receiving the email notification. This could lead to session theft, credential hijacking, and account takeover, particularly in email clients that execute JavaScript.

Reproduction

To reproduce this vulnerability, send an email to a FreeScout mailbox with a payload containing HTML or JavaScript in the body. FreeScout will process this email and store the unescaped content. Once the email notification is sent to subscribed agents or admins, the injected content will be executed or rendered, depending on the email client.

Remediation

Users can update to FreeScout version 1.8.209, which addresses this vulnerability by sanitizing email bodies before they are rendered in notifications.