CVE-2026-40568: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-40568 is a stored XSS vulnerability in FreeScout's mailbox signature feature affecting versions before 1.8.213. The sanitization function Helper::stripDangerousTags() blocks only four HTML tags but does not remove event handler attributes, allowing tags like <img> and <svg> with onerror or onload attributes to persist. Authenticated users with the ACCESS_PERM_SIGNATURE permission can inject arbitrary HTML/JavaScript into mailbox signatures. The injected code executes automatically when conversations are viewed, enabling session hijacking under certain CSP bypass conditions, phishing overlays, and chaining to admin-level actions including email exfiltration and worm-like propagation. The vulnerability is addressed in FreeScout version 1.8.213.
Potential Impact
This vulnerability allows authenticated users with delegated signature permissions to inject and execute arbitrary JavaScript in the context of other users viewing mailbox conversations. This can lead to session hijacking (especially under CSP bypass scenarios), phishing attacks that bypass CSP protections, unauthorized email exfiltration, and potential self-propagating malware behavior affecting all mailboxes. The impact includes confidentiality loss and integrity compromise of user sessions and mailbox data.
Mitigation Recommendations
Version 1.8.213 of FreeScout fixes this vulnerability. Users should upgrade to version 1.8.213 or later to remediate the issue. No official patch or temporary fix details are provided beyond this version update. Until upgraded, restrict ACCESS_PERM_SIGNATURE permissions to fully trusted users only. Patch status is not yet confirmed beyond the version fix statement — check the vendor advisory for current remediation guidance.
CVE-2026-40568: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40568 is a stored XSS vulnerability in FreeScout's mailbox signature feature affecting versions before 1.8.213. The sanitization function Helper::stripDangerousTags() blocks only four HTML tags but does not remove event handler attributes, allowing tags like <img> and <svg> with onerror or onload attributes to persist. Authenticated users with the ACCESS_PERM_SIGNATURE permission can inject arbitrary HTML/JavaScript into mailbox signatures. The injected code executes automatically when conversations are viewed, enabling session hijacking under certain CSP bypass conditions, phishing overlays, and chaining to admin-level actions including email exfiltration and worm-like propagation. The vulnerability is addressed in FreeScout version 1.8.213.
Potential Impact
This vulnerability allows authenticated users with delegated signature permissions to inject and execute arbitrary JavaScript in the context of other users viewing mailbox conversations. This can lead to session hijacking (especially under CSP bypass scenarios), phishing attacks that bypass CSP protections, unauthorized email exfiltration, and potential self-propagating malware behavior affecting all mailboxes. The impact includes confidentiality loss and integrity compromise of user sessions and mailbox data.
Mitigation Recommendations
Version 1.8.213 of FreeScout fixes this vulnerability. Users should upgrade to version 1.8.213 or later to remediate the issue. No official patch or temporary fix details are provided beyond this version update. Until upgraded, restrict ACCESS_PERM_SIGNATURE permissions to fully trusted users only. Patch status is not yet confirmed beyond the version fix statement — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-14T13:24:29.474Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7a65119fe3cd2cde569fe
Added to database: 4/21/2026, 4:31:13 PM
Last enriched: 4/21/2026, 4:46:03 PM
Last updated: 4/22/2026, 6:07:37 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.