FreeScout Stored Cross-Site Scripting Vulnerability in Linkify Function

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.213. The issue arises in the linkify() function, located in app/Misc/Helper.php, which improperly converts plain-text URLs in email bodies into HTML anchor tags. The function fails to escape double-quote characters in the URLs, allowing for the injection of arbitrary HTML attributes. This vulnerability is compounded by HTMLPurifier, which preserves literal double quotes in text nodes. When the crafted email is viewed by an agent, the injected HTML is executed, leading to a full-page CSS overlay injection or, in some cases, the execution of JavaScript via an onclick attribute.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the email.

Reproduction

To reproduce this vulnerability, send an email to a FreeScout helpdesk mailbox from an external (unauthenticated) source. The email should contain a URL with unescaped double-quote characters, such as 'http://evil.com/'style='position:fixed;top:0;left:0;width:100%;height:100%;background:red;z-index:9999;x=a'. When an agent views the conversation, the linkify() function processes the email body, resulting in the injection of CSS styles that create a full-page overlay, redressing the user interface. This can also be verified by injecting JavaScript via an onclick attribute, although this execution is blocked by the application's content security policy.

Remediation

Users should update to FreeScout version 1.8.213, which addresses this vulnerability by escaping double-quote characters in URLs before they are converted into anchor tags.