FreeScout CSS Injection Vulnerability in Mailbox Signature Leading to CSRF Token Exfiltration

A vulnerability exists in FreeScout prior to version 1.8.213, where the `Helper::stripDangerousTags()` function fails to remove `<style>` tags from user input. This issue allows for CSS injection, particularly in the mailbox signature field, which is saved via a POST request and later rendered unescaped in conversation views. The Content Security Policy (CSP) in place permits the execution of injected styles. An attacker with access to mailbox settings can exploit this to exfiltrate the CSRF token of any agent or admin who views a conversation in that mailbox. With the CSRF token, the attacker could perform state-changing actions as the victim, such as creating admin accounts or altering email and password details, effectively escalating privileges from agent to admin.

Impact

Exploitation of this vulnerability allows for the unauthorized exfiltration of CSRF tokens, which can be used to perform state-changing actions on behalf of the victim, such as creating admin accounts or modifying user credentials. This represents a significant privilege escalation risk.

Reproduction

To reproduce this vulnerability, an admin or authorized agent must inject a `<style>` tag containing CSS attribute selectors targeting the CSRF token input field into the mailbox signature via the mailbox settings. Once saved, any agent who opens a conversation in that mailbox will trigger the CSS, causing the exfiltration of the CSRF token to an external server. This process can be automated with a script that logs into FreeScout, sets the malicious signature, and then prompts the victim to open a conversation, all while capturing the exfiltrated CSRF token.

Remediation

Users should update FreeScout to version 1.8.213 or later, where this vulnerability has been fixed.