CVE-2024-29184

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.128

Description A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application. This occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. The application's Content Security Policy (CSP) was bypassed by uploading a JS file to the server via a POST request to the /conversation/upload endpoint. The CSP policy only allows the inclusion of JS files present on the application server and does not allow any inline script or script other than nonce-abcd. However, by including the uploaded JS file link as the src of the script, the CSP policy was bypassed, making XSS attacks possible. The impact of this vulnerability is severe, allowing an attacker to compromise the FreeScout Application, perform malicious actions, steal sensitive information, and potentially lead to defacement of the Application.

Recommendations For versions prior to 1.8.128, update to version 1.8.128 or later to resolve the issue. As a temporary workaround, consider restricting access to the /conversation/upload endpoint to prevent uploading of malicious JS files. Additionally, restrict the use of the script tag with src attribute in the Signature Input Field to minimize the risk of exploitation.