<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FreeScout - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/freescout/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/freescout/feed.xml" rel="self" type="application/rss+xml"/><item><title>FreeScout Arbitrary File Write via Crafted ZIP Upload (CVE-2026-41193)</title><link>https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/</guid><description>FreeScout versions prior to 1.8.215 are vulnerable to arbitrary file write via a crafted ZIP archive uploaded by an authenticated administrator due to insufficient file path validation during module installation.</description><content:encoded><![CDATA[<p>FreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a critical vulnerability (CVE-2026-41193) affecting versions prior to 1.8.215. This flaw resides in the module installation feature, where ZIP archives are extracted without proper validation of file paths. An authenticated administrator can exploit this vulnerability by uploading a specially crafted ZIP archive, leading to arbitrary file write operations on the server filesystem. The vendor patched this vulnerability in version 1.8.215. Successful exploitation allows an attacker to achieve code execution on the targeted server, potentially leading to full system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains valid administrator credentials to the FreeScout platform.</li>
<li>The attacker navigates to the module installation section within the FreeScout admin panel.</li>
<li>The attacker crafts a malicious ZIP archive containing files with manipulated paths (e.g., using &quot;../&quot; sequences) designed to write outside the intended directory.</li>
<li>The attacker uploads the crafted ZIP archive through the module installation feature.</li>
<li>The FreeScout application extracts the contents of the ZIP archive without proper validation of the file paths.</li>
<li>The malicious files are written to arbitrary locations on the server's filesystem, as specified by the manipulated paths in the ZIP archive.</li>
<li>The attacker leverages the written files to execute arbitrary code, potentially overwriting system files or placing malicious scripts in web-accessible directories.</li>
<li>The attacker achieves persistent access and control over the FreeScout server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-41193 allows a malicious actor with administrative access to write arbitrary files to the FreeScout server's filesystem. This can lead to arbitrary code execution, complete compromise of the server, data theft, and disruption of help desk services. Given the potential for full system takeover, this vulnerability poses a critical risk to organizations using affected FreeScout versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41193 (reference: Overview).</li>
<li>Deploy the Sigma rule &quot;FreeScout Suspicious ZIP Upload&quot; to detect potentially malicious ZIP uploads to the FreeScout server (reference: rules).</li>
<li>Monitor web server logs for unusual file creation events in sensitive directories after ZIP archive extractions (reference: rules, logsource).</li>
<li>Implement strict access control policies to limit the number of users with administrative privileges in FreeScout.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>freescout</category><category>file-write</category><category>cve-2026-41193</category><category>zip-upload</category></item><item><title>FreeScout Unauthorized Attachment Deletion Vulnerability (CVE-2026-41192)</title><link>https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/</guid><description>FreeScout versions prior to 1.8.215 are vulnerable to unauthorized attachment deletion, allowing a malicious mailbox peer to delete attachments by replaying encrypted attachment IDs in the `save_draft` flow.</description><content:encoded><![CDATA[<p>FreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to an unauthorized attachment deletion vulnerability in versions prior to 1.8.215. This flaw stems from the application's trust in client-supplied encrypted attachment IDs during reply and draft processes. An attacker with access to a mailbox conversation can exploit this by obtaining encrypted attachment IDs and replaying them through the <code>save_draft</code> functionality. The lack of proper validation allows the attacker to trigger the <code>Attachment::deleteByIds()</code> function, leading to the deletion of the original attachment row and file. This vulnerability was addressed in FreeScout version 1.8.215. Exploitation can result in data loss and disruption of service for affected FreeScout users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a FreeScout mailbox with visible conversations containing attachments.</li>
<li>Attacker inspects the HTML source or API responses of a conversation to obtain encrypted attachment IDs. These IDs are associated with legitimate attachments within the conversation.</li>
<li>The attacker crafts a malicious <code>save_draft</code> request, including the replayed encrypted attachment IDs in the <code>attachments_all[]</code> parameter.</li>
<li>The attacker omits these replayed IDs from any retained attachment lists within the <code>save_draft</code> request.</li>
<li>FreeScout processes the <code>save_draft</code> request and decrypts the attachment IDs present in <code>attachments_all[]</code> but absent from the retained lists.</li>
<li>The decrypted IDs are passed to the <code>Attachment::deleteByIds()</code> function without proper validation.</li>
<li><code>Attachment::deleteByIds()</code> executes, deleting the original attachment row and the corresponding file from the FreeScout server.</li>
<li>The victim user finds that the attachment has been deleted from the conversation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-41192) allows an attacker to delete attachments from FreeScout conversations without proper authorization. The number of potential victims depends on the number of FreeScout installations and the number of users with access to shared mailboxes. This can lead to data loss, disruption of business processes that rely on those attachments, and a potential loss of trust in the help desk system. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade FreeScout installations to version 1.8.215 or later to patch CVE-2026-41192.</li>
<li>Implement web application firewall (WAF) rules to monitor and block suspicious <code>save_draft</code> requests containing potentially replayed attachment IDs (cs-uri-query, cs-method from webserver logs).</li>
<li>Monitor FreeScout application logs for calls to <code>Attachment::deleteByIds()</code> originating from unusual IP addresses or user agents (application logs).</li>
<li>Deploy the provided Sigma rule to detect suspicious patterns in web server logs indicative of exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>freescout</category><category>attachment-deletion</category><category>cve-2026-41192</category></item><item><title>FreeScout Stored XSS Vulnerability in Mailbox Signatures (CVE-2026-40568)</title><link>https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freescout-xss/</guid><description>A stored cross-site scripting (XSS) vulnerability exists in FreeScout versions prior to 1.8.213 within the mailbox signature feature due to an incomplete HTML tag blocklist and failure to remove event handler attributes.</description><content:encoded><![CDATA[<p>FreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a stored XSS attack in versions prior to 1.8.213. The vulnerability resides in the mailbox signature feature, where the sanitization function <code>Helper::stripDangerousTags()</code> at <code>app/Misc/Helper.php:568</code> inadequately filters HTML tags and attributes. Specifically, it fails to remove event handler attributes and only blocks <code>script</code>, <code>form</code>, <code>iframe</code>, and <code>object</code> tags. An authenticated user possessing the <code>ACCESS_PERM_SIGNATURE</code> (<code>sig</code>) permission can inject malicious HTML, including tags like <code>&lt;img&gt;</code>, <code>&lt;svg&gt;</code>, and <code>&lt;details&gt;</code> with event handlers such as <code>onerror</code> or <code>onload</code>. This injected code is then executed whenever any agent or administrator opens a conversation in the affected mailbox. Successful exploitation can lead to session hijacking, phishing attacks, and email exfiltration. The vulnerability was patched in version 1.8.213.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to FreeScout with an account possessing the <code>ACCESS_PERM_SIGNATURE</code> permission.</li>
<li>The attacker navigates to the mailbox settings.</li>
<li>The attacker injects malicious HTML containing XSS payloads into the mailbox signature field. Example: <code>&lt;img src=x onerror=alert(document.domain)&gt;</code>.</li>
<li>The attacker saves the modified mailbox signature via <code>MailboxesController::updateSave()</code> at <code>app/Http/Controllers/MailboxesController.php:267</code>. The incomplete sanitization allows the malicious HTML to be stored in the database.</li>
<li>The signature is rendered as raw HTML via the Blade <code>{!! !!}</code> tag in <code>editor_bottom_toolbar.blade.php:6</code>.</li>
<li>The raw HTML is re-inserted into the DOM by jQuery <code>.html()</code> at <code>main.js:1789-1790</code>.</li>
<li>The injected event handler (e.g., <code>onerror</code>) is triggered when the HTML is rendered in a conversation view.</li>
<li>The attacker executes arbitrary JavaScript code within the context of the FreeScout application, potentially leading to session hijacking, phishing overlays, or further malicious actions like email exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the FreeScout application. This can lead to a range of malicious activities, including session hijacking, phishing attacks against agents and administrators, and even email exfiltration. Since the vulnerability requires only the <code>ACCESS_PERM_SIGNATURE</code> permission, which can be delegated, the attack surface is broad. The CVSS v3.1 base score is 8.5, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40568.</li>
<li>Implement the &quot;Detect FreeScout XSS Attempt via Mailbox Signature&quot; Sigma rule to identify attempts to inject malicious HTML in mailbox signatures.</li>
<li>Review and restrict the <code>ACCESS_PERM_SIGNATURE</code> permission to only trusted users to minimize the attack surface.</li>
<li>Monitor web server logs for requests to <code>MailboxesController::updateSave()</code> (<code>app/Http/Controllers/MailboxesController.php:267</code>) containing potentially malicious HTML payloads.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>freescout</category><category>xss</category><category>cve-2026-40568</category><category>web-application</category></item></channel></rss>