Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in FreeScout's mailbox auto-reply feature. An attacker who has the updateAutoReply permission can inject malicious scripts into the auto-reply messages. These scripts bypass the usual validation by including a non-whitespace character outside HTML tags, allowing the payload to pass through filters that strip tags but do not fully sanitize attributes.

The malicious script is then included unescaped in outgoing auto-reply emails sent to customers. Because email clients do not enforce Content Security Policy (CSP), the script executes in the context of the customer's email client or webmail, potentially compromising their security.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to widespread phishing attacks, credential harvesting, or session theft for all customers who contact the affected mailbox. Since the malicious script executes in the customer's email client, attackers can steal sensitive information or perform unauthorized actions on behalf of the customer.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the FreeScout instance is running a version prior to 1.8.217 and if users with the updateAutoReply permission have injected suspicious content into mailbox auto-reply messages.

You can inspect the auto-reply messages for unusual or suspicious payloads, such as HTML tags with event handlers (e.g., <img src=x onerror=alert(1)>) possibly preceded by a non-whitespace character.

Since the vulnerability involves stored XSS in auto-reply messages, commands to search for suspicious patterns in the database or logs might include:

• Using SQL queries to search the auto-reply message fields for suspicious HTML or JavaScript payloads, for example: SELECT * FROM auto_replies WHERE message LIKE '%<img%onerror=%';
• Using grep or similar tools on exported data or logs to find suspicious payloads, e.g., grep -r -i '<img src=x onerror' /path/to/freescout/data

Additionally, verify the FreeScout version by running: freescout --version or checking the application metadata to confirm if it is older than 1.8.217.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade FreeScout to version 1.8.217 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, restrict or review the permissions of users who have the updateAutoReply permission to prevent potential exploitation.

Review and sanitize existing auto-reply messages to remove any malicious payloads.

Consider implementing additional email filtering or scanning on outgoing emails to detect and block suspicious scripts or payloads.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to inject malicious scripts into auto-reply emails sent to customers, potentially leading to phishing, credential harvesting, or session theft. Such unauthorized access and data compromise could result in violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Because the vulnerability enables execution of malicious code in customers' email clients, it increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these standards.

Useful 0 Not Useful 0