FreeScout Cross-Site Scripting Vulnerability in Mailbox Auto-Reply Feature

A cross-site scripting (XSS) vulnerability has been identified in FreeScout versions prior to 1.8.217. The issue allows users with the 'updateAutoReply' permission to inject an XSS payload into the mailbox auto-reply message. This payload is then sent unescaped to every customer who contacts the mailbox, executing in the context of the customer's email client, which typically does not enforce content security policies. The vulnerability arises from a validation bypass in the auto-reply message handling, where mixed text and HTML content can be exploited to deliver malicious scripts.

Impact

Exploitation of this vulnerability leads to cross-site scripting in the email clients of all affected customers, allowing for phishing attacks, credential harvesting, and potential theft of webmail session cookies if the email provider displays attachments inline.

Reproduction

To reproduce this vulnerability, log into FreeScout as an agent with 'updateAutoReply' permission. Navigate to the mailbox settings and enable the auto-reply feature. In the auto-reply message field, insert an image tag with an 'onerror' attribute containing a JavaScript payload, such as an alert command. Save the changes, which will be reflected in the database. The injected script will execute when the auto-reply email is sent to a customer.

Remediation

Users can update to FreeScout version 1.8.217 or later, where this vulnerability has been patched.