{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40568/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-40568"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["high"],"_cs_tags":["freescout","xss","cve-2026-40568","web-application"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a stored XSS attack in versions prior to 1.8.213. The vulnerability resides in the mailbox signature feature, where the sanitization function \u003ccode\u003eHelper::stripDangerousTags()\u003c/code\u003e at \u003ccode\u003eapp/Misc/Helper.php:568\u003c/code\u003e inadequately filters HTML tags and attributes. Specifically, it fails to remove event handler attributes and only blocks \u003ccode\u003escript\u003c/code\u003e, \u003ccode\u003eform\u003c/code\u003e, \u003ccode\u003eiframe\u003c/code\u003e, and \u003ccode\u003eobject\u003c/code\u003e tags. An authenticated user possessing the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e (\u003ccode\u003esig\u003c/code\u003e) permission can inject malicious HTML, including tags like \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e, and \u003ccode\u003e\u0026lt;details\u0026gt;\u003c/code\u003e with event handlers such as \u003ccode\u003eonerror\u003c/code\u003e or \u003ccode\u003eonload\u003c/code\u003e. This injected code is then executed whenever any agent or administrator opens a conversation in the affected mailbox. Successful exploitation can lead to session hijacking, phishing attacks, and email exfiltration. The vulnerability was patched in version 1.8.213.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to FreeScout with an account possessing the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the mailbox settings.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious HTML containing XSS payloads into the mailbox signature field. Example: \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified mailbox signature via \u003ccode\u003eMailboxesController::updateSave()\u003c/code\u003e at \u003ccode\u003eapp/Http/Controllers/MailboxesController.php:267\u003c/code\u003e. The incomplete sanitization allows the malicious HTML to be stored in the database.\u003c/li\u003e\n\u003cli\u003eThe signature is rendered as raw HTML via the Blade \u003ccode\u003e{!! !!}\u003c/code\u003e tag in \u003ccode\u003eeditor_bottom_toolbar.blade.php:6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe raw HTML is re-inserted into the DOM by jQuery \u003ccode\u003e.html()\u003c/code\u003e at \u003ccode\u003emain.js:1789-1790\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected event handler (e.g., \u003ccode\u003eonerror\u003c/code\u003e) is triggered when the HTML is rendered in a conversation view.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary JavaScript code within the context of the FreeScout application, potentially leading to session hijacking, phishing overlays, or further malicious actions like email exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the FreeScout application. This can lead to a range of malicious activities, including session hijacking, phishing attacks against agents and administrators, and even email exfiltration. Since the vulnerability requires only the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission, which can be delegated, the attack surface is broad. The CVSS v3.1 base score is 8.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40568.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026quot;Detect FreeScout XSS Attempt via Mailbox Signature\u0026quot; Sigma rule to identify attempts to inject malicious HTML in mailbox signatures.\u003c/li\u003e\n\u003cli\u003eReview and restrict the \u003ccode\u003eACCESS_PERM_SIGNATURE\u003c/code\u003e permission to only trusted users to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003eMailboxesController::updateSave()\u003c/code\u003e (\u003ccode\u003eapp/Http/Controllers/MailboxesController.php:267\u003c/code\u003e) containing potentially malicious HTML payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in FreeScout versions prior to 1.8.213 within the mailbox signature feature due to an incomplete HTML tag blocklist and failure to remove event handler attributes.","title":"FreeScout Stored XSS Vulnerability in Mailbox Signatures (CVE-2026-40568)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-40568","version":"https://jsonfeed.org/version/1.1"}