CVE-2026-40568
Stored XSS in FreeScout Mailbox Signature Enables Session Hijacking
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.213 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40568 is a stored cross-site scripting (XSS) vulnerability in FreeScout versions prior to 1.8.213, specifically in the mailbox signature feature.
The vulnerability arises because the HTML sanitization function `Helper::stripDangerousTags()` only blocks four HTML tags (`script`, `form`, `iframe`, `object`) but does not remove event handler attributes like `onerror` or `onload`. This allows malicious HTML elements such as `<img>`, `<svg>`, and `<details>` with event handlers to be saved in mailbox signatures.
When a mailbox signature is saved, the insufficient sanitization lets attackers store arbitrary HTML and JavaScript in the database. Later, this content is rendered as raw HTML and inserted into the visible DOM, causing the malicious scripts to execute automatically without any user interaction.
Any authenticated user with the delegatable, non-admin permission `ACCESS_PERM_SIGNATURE` can exploit this to inject malicious code that triggers whenever any agent or administrator views a conversation in the affected mailbox.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Session hijacking under conditions where Content Security Policy (CSP) can be bypassed, such as in IE11 or weakened CSP modules.
- Phishing overlays that work across all browsers regardless of CSP, using only HTML and CSS.
- Chaining attacks to admin-level actions, such as mass assignment to inject automatic BCC addresses on mailboxes, enabling exfiltration of sensitive emails.
- Self-propagating worm behavior that spreads malicious signatures across all mailboxes accessible to the victim.
- Remote code execution by uploading malicious FreeScout modules (PHP webshells) when CSP is bypassed.
- Injection of tracking pixels to monitor when agents and customers view emails.
Additionally, the vulnerability affects outgoing emails where the malicious signature is included verbatim in HTML emails without CSP enforcement, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) in mailbox signatures of FreeScout versions prior to 1.8.213. Detection involves identifying mailbox signatures containing malicious HTML elements with event handler attributes such as onerror or onload that bypass the sanitization.
You can detect potentially malicious signatures by querying the database for mailbox signatures containing suspicious HTML tags and event handler attributes. For example, searching for signatures containing <img>, <svg>, <details> tags with attributes like onerror or onload.
- Use SQL queries on the FreeScout database to find mailbox signatures with suspicious patterns, e.g.: SELECT * FROM mailbox_signatures WHERE signature LIKE '%<img%onerror=%' OR signature LIKE '%<svg%onload=%';
- Monitor HTTP traffic for suspicious payloads or injected scripts in mailbox signature update requests, especially POST requests to MailboxesController::updateSave().
- Check application logs for unusual mailbox signature updates by users with ACCESS_PERM_SIGNATURE permission.
Note that no specific detection commands are provided in the resources, but these general approaches can help identify exploitation attempts or malicious stored signatures.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeScout to version 1.8.213 or later, which includes a fix replacing the vulnerable sanitization function with a robust allowlist-based HTML purifier that removes dangerous tags and event handler attributes.
Additional immediate steps include:
- Apply the security update that replaces Helper::stripDangerousTags() with Helper::purifyHtml() to ensure proper sanitization of mailbox signatures.
- Ensure the fix is applied both when saving signatures (MailboxesController.php) and when rendering them (Conversation.php).
- Implement the CheckBrowser middleware introduced in version 1.8.213 to block browsers without adequate Content Security Policy (CSP) support, reducing risk from CSP bypass.
- Restrict or audit users with ACCESS_PERM_SIGNATURE permission to prevent unauthorized signature modifications.
These steps collectively mitigate the risk of stored XSS exploitation, session hijacking, phishing overlays, and other chained attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with limited permissions to inject malicious HTML and JavaScript into mailbox signatures, which can lead to session hijacking, phishing, unauthorized data exfiltration, and self-propagating attacks.
Such unauthorized access and data exfiltration risks can compromise the confidentiality and integrity of sensitive information, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data against unauthorized access and breaches.
Because the vulnerability enables attackers to exfiltrate emails containing sensitive data and hijack sessions without user interaction, organizations using affected versions of FreeScout may face compliance challenges related to protecting personal data, maintaining data confidentiality, and ensuring secure access controls.