{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/freescout/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-41193"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["critical"],"_cs_tags":["freescout","file-write","cve-2026-41193","zip-upload"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a critical vulnerability (CVE-2026-41193) affecting versions prior to 1.8.215. This flaw resides in the module installation feature, where ZIP archives are extracted without proper validation of file paths. An authenticated administrator can exploit this vulnerability by uploading a specially crafted ZIP archive, leading to arbitrary file write operations on the server filesystem. The vendor patched this vulnerability in version 1.8.215. Successful exploitation allows an attacker to achieve code execution on the targeted server, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid administrator credentials to the FreeScout platform.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the module installation section within the FreeScout admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing files with manipulated paths (e.g., using \u0026quot;../\u0026quot; sequences) designed to write outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive through the module installation feature.\u003c/li\u003e\n\u003cli\u003eThe FreeScout application extracts the contents of the ZIP archive without proper validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe malicious files are written to arbitrary locations on the server's filesystem, as specified by the manipulated paths in the ZIP archive.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the written files to execute arbitrary code, potentially overwriting system files or placing malicious scripts in web-accessible directories.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access and control over the FreeScout server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41193 allows a malicious actor with administrative access to write arbitrary files to the FreeScout server's filesystem. This can lead to arbitrary code execution, complete compromise of the server, data theft, and disruption of help desk services. Given the potential for full system takeover, this vulnerability poses a critical risk to organizations using affected FreeScout versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41193 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;FreeScout Suspicious ZIP Upload\u0026quot; to detect potentially malicious ZIP uploads to the FreeScout server (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file creation events in sensitive directories after ZIP archive extractions (reference: rules, logsource).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the number of users with administrative privileges in FreeScout.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/","summary":"FreeScout versions prior to 1.8.215 are vulnerable to arbitrary file write via a crafted ZIP archive uploaded by an authenticated administrator due to insufficient file path validation during module installation.","title":"FreeScout Arbitrary File Write via Crafted ZIP Upload (CVE-2026-41193)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41192"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["medium"],"_cs_tags":["freescout","attachment-deletion","cve-2026-41192"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to an unauthorized attachment deletion vulnerability in versions prior to 1.8.215. This flaw stems from the application's trust in client-supplied encrypted attachment IDs during reply and draft processes. An attacker with access to a mailbox conversation can exploit this by obtaining encrypted attachment IDs and replaying them through the \u003ccode\u003esave_draft\u003c/code\u003e functionality. The lack of proper validation allows the attacker to trigger the \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e function, leading to the deletion of the original attachment row and file. This vulnerability was addressed in FreeScout version 1.8.215. Exploitation can result in data loss and disruption of service for affected FreeScout users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a FreeScout mailbox with visible conversations containing attachments.\u003c/li\u003e\n\u003cli\u003eAttacker inspects the HTML source or API responses of a conversation to obtain encrypted attachment IDs. These IDs are associated with legitimate attachments within the conversation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003esave_draft\u003c/code\u003e request, including the replayed encrypted attachment IDs in the \u003ccode\u003eattachments_all[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker omits these replayed IDs from any retained attachment lists within the \u003ccode\u003esave_draft\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eFreeScout processes the \u003ccode\u003esave_draft\u003c/code\u003e request and decrypts the attachment IDs present in \u003ccode\u003eattachments_all[]\u003c/code\u003e but absent from the retained lists.\u003c/li\u003e\n\u003cli\u003eThe decrypted IDs are passed to the \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e function without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e executes, deleting the original attachment row and the corresponding file from the FreeScout server.\u003c/li\u003e\n\u003cli\u003eThe victim user finds that the attachment has been deleted from the conversation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41192) allows an attacker to delete attachments from FreeScout conversations without proper authorization. The number of potential victims depends on the number of FreeScout installations and the number of users with access to shared mailboxes. This can lead to data loss, disruption of business processes that rely on those attachments, and a potential loss of trust in the help desk system. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout installations to version 1.8.215 or later to patch CVE-2026-41192.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to monitor and block suspicious \u003ccode\u003esave_draft\u003c/code\u003e requests containing potentially replayed attachment IDs (cs-uri-query, cs-method from webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout application logs for calls to \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e originating from unusual IP addresses or user agents (application logs).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious patterns in web server logs indicative of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/","summary":"FreeScout versions prior to 1.8.215 are vulnerable to unauthorized attachment deletion, allowing a malicious mailbox peer to delete attachments by replaying encrypted attachment IDs in the `save_draft` flow.","title":"FreeScout Unauthorized Attachment Deletion Vulnerability (CVE-2026-41192)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-40568"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["high"],"_cs_tags":["freescout","xss","cve-2026-40568","web-application"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a stored XSS attack in versions prior to 1.8.213. The vulnerability resides in the mailbox signature feature, where the sanitization function \u003ccode\u003eHelper::stripDangerousTags()\u003c/code\u003e at \u003ccode\u003eapp/Misc/Helper.php:568\u003c/code\u003e inadequately filters HTML tags and attributes. Specifically, it fails to remove event handler attributes and only blocks \u003ccode\u003escript\u003c/code\u003e, \u003ccode\u003eform\u003c/code\u003e, \u003ccode\u003eiframe\u003c/code\u003e, and \u003ccode\u003eobject\u003c/code\u003e tags. An authenticated user possessing the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e (\u003ccode\u003esig\u003c/code\u003e) permission can inject malicious HTML, including tags like \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e, and \u003ccode\u003e\u0026lt;details\u0026gt;\u003c/code\u003e with event handlers such as \u003ccode\u003eonerror\u003c/code\u003e or \u003ccode\u003eonload\u003c/code\u003e. This injected code is then executed whenever any agent or administrator opens a conversation in the affected mailbox. Successful exploitation can lead to session hijacking, phishing attacks, and email exfiltration. The vulnerability was patched in version 1.8.213.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to FreeScout with an account possessing the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the mailbox settings.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious HTML containing XSS payloads into the mailbox signature field. Example: \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified mailbox signature via \u003ccode\u003eMailboxesController::updateSave()\u003c/code\u003e at \u003ccode\u003eapp/Http/Controllers/MailboxesController.php:267\u003c/code\u003e. The incomplete sanitization allows the malicious HTML to be stored in the database.\u003c/li\u003e\n\u003cli\u003eThe signature is rendered as raw HTML via the Blade \u003ccode\u003e{!! !!}\u003c/code\u003e tag in \u003ccode\u003eeditor_bottom_toolbar.blade.php:6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe raw HTML is re-inserted into the DOM by jQuery \u003ccode\u003e.html()\u003c/code\u003e at \u003ccode\u003emain.js:1789-1790\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected event handler (e.g., \u003ccode\u003eonerror\u003c/code\u003e) is triggered when the HTML is rendered in a conversation view.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary JavaScript code within the context of the FreeScout application, potentially leading to session hijacking, phishing overlays, or further malicious actions like email exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the FreeScout application. This can lead to a range of malicious activities, including session hijacking, phishing attacks against agents and administrators, and even email exfiltration. Since the vulnerability requires only the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission, which can be delegated, the attack surface is broad. The CVSS v3.1 base score is 8.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40568.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026quot;Detect FreeScout XSS Attempt via Mailbox Signature\u0026quot; Sigma rule to identify attempts to inject malicious HTML in mailbox signatures.\u003c/li\u003e\n\u003cli\u003eReview and restrict the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission to only trusted users to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003eMailboxesController::updateSave()\u003c/code\u003e (\u003ccode\u003eapp/Http/Controllers/MailboxesController.php:267\u003c/code\u003e) containing potentially malicious HTML payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in FreeScout versions prior to 1.8.213 within the mailbox signature feature due to an incomplete HTML tag blocklist and failure to remove event handler attributes.","title":"FreeScout Stored XSS Vulnerability in Mailbox Signatures (CVE-2026-40568)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - FreeScout","version":"https://jsonfeed.org/version/1.1"}