FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

FreeScout 安全漏洞

FreeScout是FreeScout公司的一个使用 PHP（Laravel 框架）构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.213之前版本存在安全漏洞，该漏洞源于邮箱签名功能中的清理函数Helper::stripDangerousTags使用不完整的阻止列表且未移除事件处理程序属性，可能导致具有ACCESS_PERM_SIGNATURE权限的认证用户注入任意HTML和JavaScript，触发会话劫持或钓鱼攻击。

N/A

N/A