Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function Helper::stripDangerousTags() (app/Misc/Helper.php:568) uses an incomplete blocklist of only four HTML tags (script, form, iframe, object) and does not remove event handler attributes. When a mailbox signature is saved via MailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267), HTML elements such as <img>, <svg>, and <details> with event handler attributes like onerror and onload pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade {!! !!} tag in editor_bottom_toolbar.blade.php:6 and re-inserted into the visible DOM by jQuery .html() at main.js:1789-1790, triggering the injected event handlers. Any authenticated user with the ACCESS_PERM_SIGNATURE (sig) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
AnalysisAI
Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.
Technical ContextAI
FreeScout is a PHP-based self-hosted help desk and shared mailbox system. The vulnerability exists in the mailbox signature feature's HTML sanitization routine Helper::stripDangerousTags() (app/Misc/Helper.php:568), which implements an incomplete blocklist approach that removes only four HTML element types (script, form, iframe, object) while completely ignoring event handler attributes. When signatures are saved via MailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267), dangerous constructs like <img onerror='...'>, <svg onload='...'>, and <details ontoggle='...'> pass through unchanged and persist to the database. The stored payload is then rendered unsafely using Laravel Blade's raw output syntax {!! !!} in editor_bottom_toolbar.blade.php:6 and dynamically re-inserted into the live DOM via jQuery's .html() method at main.js:1789-1790, causing immediate script execution. This is a classic CWE-79 stored XSS vulnerability caused by relying on blocklisting rather than allowlisting for HTML sanitization, combined with unsafe rendering patterns that treat user-controlled data as trusted HTML. The CPE identifier cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* confirms all versions prior to the 1.8.213 patch are affected.
RemediationAI
Upgrade immediately to FreeScout version 1.8.213 or later, which fixes the vulnerability as documented in the release at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The fix is implemented in commit 1d83e1cffb0bf8d109625313530b36b0f5910b3f (https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f), which replaces the incomplete blocklist-based sanitization with more robust HTML filtering. Organizations unable to patch immediately should implement compensating controls: (1) Audit and temporarily revoke ACCESS_PERM_SIGNATURE (sig) permissions from all non-essential users, limiting signature editing to only highly trusted administrators - this reduces attack surface but impacts operational workflows where agents need signature customization. (2) Implement database-level monitoring for mailbox signature changes and inspect existing signatures for suspicious HTML elements (img, svg, details, video, audio) with event handler attributes (onerror, onload, ontoggle, onmouseover, etc.) - this is labor-intensive and requires manual review of potentially obfuscated payloads. (3) Deploy a Web Application Firewall (WAF) rule to block signature update requests containing common XSS event handlers, though this may be bypassed via encoding or uncommon event types. (4) If using a reverse proxy, strengthen Content Security Policy headers to restrict script-src to 'self' only with nonces, though the advisory notes this is partially effective and can be bypassed in IE11 or weakened by jQuery/module usage. None of these mitigations are complete substitutes for patching; upgrading to 1.8.213 is the only definitive remediation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24169