CVE-2024-29184

Summary

CVE-2024-29184 is a stored Cross-Site Scripting (XSS) vulnerability affecting the FreeScout help desk application prior to version 1.8.128. The issue lies in the Signature Input Field, where user input is not properly sanitized and stored on the server. This allows an attacker to inject malicious scripts that are executed when other users access the affected page. The FreeScout Application employs a Content Security Policy (CSP) to protect against XSS attacks, but this was bypassed by uploading a JavaScript (JS) file to the server via a POST request to the /conversation/upload endpoint. The bypassed CSP policy only allowed the inclusion of JS files present on the application server, but the uploaded JS file enabled inline scripts, leading to successful XSS attacks. The consequences of this vulnerability are severe. Attackers can manipulate the Administrator into executing unintended actions, potentially adding new administrators controlled by the attacker or elevating low-privileged users to Administrator status. Sensitive information, including login credentials, session tokens, personal identifiable information (PII), and financial data, can be stolen. The application can also be defaced. FreeScout's version 1.8.128 includes a patch to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.