Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
Published: 2026-04-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

FreeScout stores mailbox signatures without complete HTML filtering; only four tags are blocked and event handler attributes are left intact. When an authenticated user with signature permission saves a signature containing elements such as <img>, <svg>, or <details> that carry onerror/onload handlers, the malicious code is persisted in the database. The signature is later rendered as raw HTML and inserted into the page via JavaScript. The embedded handlers execute automatically whenever any agent or administrator opens a conversation, enabling session hijacking, phishing overlays that bypass content‑security policies in some browsers, and escalation to admin capabilities such as mass‑assignment and even worm‑like propagation across mailboxes.

Affected Systems

The vulnerability affects the free, self‑hosted help‑desk platform Freescout, version 1.8.212 and earlier.

Risk and Exploitability

The flaw carries a CVSS score of 8.5, indicating high severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. Attackers must be authenticated and be granted the ACCESS_PERM_SIGNATURE permission, a delegatable, non‑admin right, to insert malicious signatures. Once injected, the payload runs immediately without victim interaction, making exploitation straightforward for anyone who can reach a mailbox conversation on the affected system.

Generated by OpenCVE AI on April 21, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued update to FreeScout 1.8.213 or later.
  • Revoke the ACCESS_PERM_SIGNATURE permission from non‑administrators and limit mailbox signature editing to trusted users only.
  • Search the database for existing mailbox signatures and remove any that contain unexpected tags or event handlers.
  • If an immediate upgrade is not possible, disable the mailbox signature feature or enforce strict input validation that blocks all tags and event attributes.

Generated by OpenCVE AI on April 21, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
Title FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:37:44.431Z

Reserved: 2026-04-14T13:24:29.474Z

Link: CVE-2026-40568

cve-icon Vulnrichment

Updated: 2026-04-21T20:32:39.519Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:55.297

Modified: 2026-04-22T21:10:14.290

Link: CVE-2026-40568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses