FreeScout Stored Cross-Site Scripting Vulnerability in Mailbox Signature Feature

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.213. The issue arises in the mailbox signature feature, where the sanitization function 'Helper::stripDangerousTags()' employs an inadequate blocklist, allowing certain HTML elements and event handler attributes to bypass filters. This flaw enables authenticated users with the 'ACCESS_PERM_SIGNATURE' permission to inject arbitrary HTML and JavaScript into mailbox signatures. The injected scripts execute automatically when conversations are viewed, potentially leading to session hijacking, phishing attacks, and unauthorized access to admin-level actions.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, with injected scripts executing automatically when conversations are viewed. This could lead to session hijacking, especially under certain Content Security Policy conditions, and unauthorized access to admin-level actions.

Reproduction

To reproduce this vulnerability, log into FreeScout with an account that has 'ACCESS_PERM_SIGNATURE' on a mailbox. Navigate to the mailbox signature settings and inject a payload, such as an image tag with an event handler attribute, into the signature field. Save the signature, which will now execute the injected script whenever the mailbox is accessed.

Remediation

Users can update to FreeScout version 1.8.213 or later, where this vulnerability has been fixed.