<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-40568 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-40568/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-40568/feed.xml" rel="self" type="application/rss+xml"/><item><title>FreeScout Stored XSS Vulnerability in Mailbox Signatures (CVE-2026-40568)</title><link>https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/</guid><description>A stored cross-site scripting (XSS) vulnerability exists in FreeScout versions prior to 1.8.213 within the mailbox signature feature due to an incomplete HTML tag blocklist and failure to remove event handler attributes.</description><content:encoded><![CDATA[<p>FreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a stored XSS attack in versions prior to 1.8.213. The vulnerability resides in the mailbox signature feature, where the sanitization function <code>Helper::stripDangerousTags()</code> at <code>app/Misc/Helper.php:568</code> inadequately filters HTML tags and attributes. Specifically, it fails to remove event handler attributes and only blocks <code>script</code>, <code>form</code>, <code>iframe</code>, and <code>object</code> tags. An authenticated user possessing the <code>ACCESS_PERM_SIGNATURE</code> (<code>sig</code>) permission can inject malicious HTML, including tags like <code>&lt;img&gt;</code>, <code>&lt;svg&gt;</code>, and <code>&lt;details&gt;</code> with event handlers such as <code>onerror</code> or <code>onload</code>. This injected code is then executed whenever any agent or administrator opens a conversation in the affected mailbox. Successful exploitation can lead to session hijacking, phishing attacks, and email exfiltration. The vulnerability was patched in version 1.8.213.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to FreeScout with an account possessing the <code>ACCESS_PERM_SIGNATURE</code> permission.</li>
<li>The attacker navigates to the mailbox settings.</li>
<li>The attacker injects malicious HTML containing XSS payloads into the mailbox signature field. Example: <code>&lt;img src=x onerror=alert(document.domain)&gt;</code>.</li>
<li>The attacker saves the modified mailbox signature via <code>MailboxesController::updateSave()</code> at <code>app/Http/Controllers/MailboxesController.php:267</code>. The incomplete sanitization allows the malicious HTML to be stored in the database.</li>
<li>The signature is rendered as raw HTML via the Blade <code>{!! !!}</code> tag in <code>editor_bottom_toolbar.blade.php:6</code>.</li>
<li>The raw HTML is re-inserted into the DOM by jQuery <code>.html()</code> at <code>main.js:1789-1790</code>.</li>
<li>The injected event handler (e.g., <code>onerror</code>) is triggered when the HTML is rendered in a conversation view.</li>
<li>The attacker executes arbitrary JavaScript code within the context of the FreeScout application, potentially leading to session hijacking, phishing overlays, or further malicious actions like email exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the FreeScout application. This can lead to a range of malicious activities, including session hijacking, phishing attacks against agents and administrators, and even email exfiltration. Since the vulnerability requires only the <code>ACCESS_PERM_SIGNATURE</code> permission, which can be delegated, the attack surface is broad. The CVSS v3.1 base score is 8.5, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40568.</li>
<li>Implement the &quot;Detect FreeScout XSS Attempt via Mailbox Signature&quot; Sigma rule to identify attempts to inject malicious HTML in mailbox signatures.</li>
<li>Review and restrict the <code>ACCESS_PERM_SIGNATURE</code> permission to only trusted users to minimize the attack surface.</li>
<li>Monitor web server logs for requests to <code>MailboxesController::updateSave()</code> (<code>app/Http/Controllers/MailboxesController.php:267</code>) containing potentially malicious HTML payloads.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>freescout</category><category>xss</category><category>cve-2026-40568</category><category>web-application</category></item></channel></rss>