CVE-2024-34698

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.139

Description The issue arises from a Prototype Pollution vulnerability in the /public/js/main.js source file. This vulnerability occurs because the getQueryParam function recursively merges an object containing user-controllable properties into an existing object for URL query parameters parsing, without first sanitizing the keys. An attacker can inject a property with a key proto, along with arbitrarily nested properties, allowing them to pollute the prototype with properties containing harmful values. These properties are then inherited by user-defined objects and used by the application, potentially leading to unsafe handling of attacker-controlled properties. This can be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, and HTML Injection.

Recommendations For versions prior to 1.8.139, update to version 1.8.139 to resolve the issue. As a temporary workaround, consider disabling the getQueryParam function until a patch is available. Restrict access to the /public/js/main.js source file to minimize the risk of exploitation. Avoid using the proto key in URL query parameters until the issue is resolved.