CVE-2024-29184
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in FreeScout's signature input field allows support agents to inject malicious JavaScript that executes when administrators view the signature. This bypasses the Content Security Policy (CSP) protection by uploading malicious JS files to the server. All FreeScout instances prior to version 1.8.128 are affected.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control by forcing administrator to create new attacker-controlled admin accounts, leading to complete compromise of the help desk system and data theft.
Likely Case
Attacker steals administrator session tokens and credentials, then uses them to access sensitive customer data and modify system configurations.
If Mitigated
With proper CSP implementation and input validation, XSS payloads would be blocked and the attack would fail.
🎯 Exploit Status
Exploit requires authenticated support agent access. The advisory includes technical details that make weaponization straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.128
Vendor Advisory: https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-fffc-phh8-5h4v
Restart Required: Yes
Instructions:
1. Backup your FreeScout database and files. 2. Update to version 1.8.128 via the built-in updater or manual installation. 3. Restart the web server (Apache/Nginx) and PHP-FPM if applicable.
🔧 Temporary Workarounds
Disable signature functionality
allTemporarily disable the signature feature in FreeScout to prevent exploitation via the vulnerable input field.
Modify FreeScout configuration to remove signature fields from user profiles
Enhance CSP policy
allStrengthen the Content Security Policy to prevent unauthorized script execution from uploaded files.
Add 'strict-dynamic' and remove 'unsafe-inline' from CSP headers
🧯 If You Can't Patch
- Restrict file upload permissions to prevent malicious JS file uploads via /conversation/upload endpoint
- Implement additional input validation and output encoding for signature fields
🔍 How to Verify
Check if Vulnerable:
Check FreeScout version in admin panel or via version file. If version is below 1.8.128, the system is vulnerable.Check Version:
Check /version.txt file or admin dashboard version displayVerify Fix Applied:
After updating, verify version is 1.8.128 or higher and test that script tags in signature fields are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /conversation/upload endpoint
- JavaScript payloads in user signature fields
- Administrator account creation/modification events
Network Indicators:
- POST requests to /conversation/upload with JS file extensions
- Script tags referencing uploaded files in HTTP responses
SIEM Query:
source="freescout.log" AND (uri_path="/conversation/upload" OR message="script" OR message="signature")