CVE-2024-29184

{"id": "CVE-2024-29184", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2024-03-22T17:15:08.203", "references": [{"url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-fffc-phh8-5h4v", "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-fffc-phh8-5h4v", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a self-hosted help desk and shared mailbox. A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application prior to version 1.8.128. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator.\n\nThe application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: `script-src 'self' 'nonce-abcd' `. The CSP policy only allows the inclusion of JS files that are present on the application server and doesn't allow any inline script or script other than nonce-abcd. The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. This bypassed the CSP policy and XSS attacks became possible.\n\nThe impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application. Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data. The vulnerability can also lead to defacement of the Application.\n\nVersion 1.8.128 contains a patch for this issue."}, {"lang": "es", "value": "FreeScout es una mesa de ayuda autohospedada y un buz\u00f3n de correo compartido. Se identific\u00f3 una vulnerabilidad de cross-site scripting almacenados (XSS) dentro del campo de entrada de firma de la aplicaci\u00f3n FreeScout antes de la versi\u00f3n 1.8.128. El XSS almacenado ocurre cuando la entrada del usuario no se sanitiza adecuadamente y se almacena en el servidor, lo que permite a un atacante inyectar scripts maliciosos que se ejecutar\u00e1n cuando otros usuarios accedan a la p\u00e1gina afectada. En este caso, el usuario del agente de soporte puede inyectar scripts maliciosos en su firma, que luego se ejecutar\u00e1n cuando los vea el administrador. La aplicaci\u00f3n protege a los usuarios contra ataques XSS al aplicar una pol\u00edtica de CSP, la pol\u00edtica de CSP es: `script-src 'self' 'nonce-abcd' `. La pol\u00edtica de CSP solo permite la inclusi\u00f3n de archivos JS que est\u00e1n presentes en el servidor de aplicaciones y no permite ning\u00fan script en l\u00ednea o script que no sea nonce-abcd. La pol\u00edtica de CSP se omiti\u00f3 al cargar un archivo JS en el servidor mediante una solicitud POST al endpoint /conversation/upload. Despu\u00e9s de esto, se cre\u00f3 un payload XSS funcional incluyendo el enlace del archivo JS cargado como el src del script. Esto eludi\u00f3 la pol\u00edtica de CSP y los ataques XSS se hicieron posibles. El impacto de esta vulnerabilidad es grave ya que permite que un atacante comprometa la aplicaci\u00f3n FreeScout. Al explotar esta vulnerabilidad, el atacante puede realizar diversas acciones maliciosas, como obligar al administrador a ejecutar acciones sin su conocimiento o consentimiento. Por ejemplo, el atacante puede obligar al administrador a agregar un nuevo administrador controlado por el atacante, d\u00e1ndole as\u00ed control total sobre la aplicaci\u00f3n. Alternativamente, el atacante puede elevar los privilegios de un usuario con pocos privilegios a Administrador, comprometiendo a\u00fan m\u00e1s la seguridad de la aplicaci\u00f3n. Los atacantes pueden robar informaci\u00f3n confidencial, como credenciales de inicio de sesi\u00f3n, tokens de sesi\u00f3n, informaci\u00f3n de identificaci\u00f3n personal (PII) y datos financieros. La vulnerabilidad tambi\u00e9n puede provocar la destrucci\u00f3n de la Aplicaci\u00f3n. La versi\u00f3n 1.8.128 contiene un parche para este problema."}], "lastModified": "2024-11-21T09:07:44.997", "sourceIdentifier": "security-advisories@github.com"}