HIGH🇵🇱 Wersja polska

CVE-2026-40497

CVSS 8.1v3.1pub. 2026-04-21upd. 2026-04-23

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied `Helper::stripDangerousTags()` to the signature before saving. However, `stripDangerousTags()` only removes `script`, `form`, `iframe`, and `object` tags — it does NOT strip `<style>` tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
  • Freescout

    APP
    Freescout
    < 1.8.213
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSSLPE
CWE
References

Related vulnerabilities

CVE-2026-32754CRITICAL9.3PL ✓ten sam produkt

FreeScout: Stored XSS w szablonach powiadomień e-mail umożliwia przejęcie kont

CVE-2026-28289CRITICAL10.0PL ✓ten sam produkt

FreeScout: bypass zabezpieczeń uploadu pliku prowadzący do RCE

CVE-2026-27637CRITICAL9.8PL ✓ten sam produkt

FreeScout: przewidywalny token uwierzytelniający umożliwia przejęcie konta

CVE-2024-29185CRITICAL9.0PL ✓ten sam produkt

FreeScout: OS Command Injection umożliwiający przejęcie serwera

CVE-2026-40496HIGH8.8ten sam produkt

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download to...