CVE-2024-29184 in freescoutinfo

Summary

by MITRE • 03/22/2024

FreeScout is a self-hosted help desk and shared mailbox. A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application prior to version 1.8.128. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator.

The application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: `script-src 'self' 'nonce-abcd' `. The CSP policy only allows the inclusion of JS files that are present on the application server and doesn't allow any inline script or script other than nonce-abcd. The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. This bypassed the CSP policy and XSS attacks became possible.

The impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application. Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data. The vulnerability can also lead to defacement of the Application.

Version 1.8.128 contains a patch for this issue.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/13/2025

FreeScout represents a self-hosted help desk and shared mailbox solution that serves as a critical communication platform for support teams. The vulnerability described in CVE-2024-29184 demonstrates a sophisticated stored cross-site scripting flaw within the application's signature input field functionality. This vulnerability exists in versions prior to 1.8.128 and specifically targets the administrative interface where support agents can define their signatures. The flaw arises from inadequate input sanitization mechanisms that permit malicious script injection into stored user data, creating a persistent threat vector that affects all users who view the compromised signature content.

The technical exploitation of this vulnerability involves a multi-stage attack methodology that bypasses the application's existing security controls. While FreeScout implements a Content Security Policy (CSP) with the directive `script-src 'self' 'nonce-abcd'` to prevent unauthorized script execution, attackers can circumvent this protection by leveraging the application's legitimate file upload functionality. The exploitation begins with uploading a malicious javascript file through the POST request endpoint at /conversation/upload, which allows arbitrary file uploads to the server. Subsequently, attackers craft a payload that references this uploaded file as an external script source, effectively bypassing the CSP restrictions that typically prevent inline scripts and external script inclusion.

This vulnerability directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly sanitize user input that leads to XSS conditions. The attack follows patterns consistent with ATT&CK technique T1059.001: Command and Scripting Interpreter - JavaScript, where attackers leverage JavaScript execution capabilities to perform malicious activities. The operational impact extends beyond simple script execution, as the vulnerability enables complete compromise of the application through privilege escalation attacks. An attacker can force administrative actions such as creating new administrator accounts, modifying user permissions, or exfiltrating sensitive data including login credentials, session tokens, personally identifiable information, and financial data.

The security implications of this vulnerability are particularly severe because it targets the administrative interface where critical system functions are performed. When an administrator views a compromised signature, the malicious script executes within their browser context with full administrative privileges, enabling unauthorized modifications to the application configuration. The vulnerability also represents a significant risk for data integrity and confidentiality, as it allows attackers to steal session cookies and perform unauthorized actions on behalf of legitimate users. Organizations relying on FreeScout for customer support and communication are particularly vulnerable since the attack can remain undetected while compromising the entire help desk infrastructure. The patch released in version 1.8.128 addresses this issue through proper input validation and enhanced sanitization of signature fields, along with improved restrictions on file upload capabilities to prevent malicious code execution.

Responsible

GitHub, Inc.

Reservation

03/18/2024

Disclosure

03/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00861

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!