FreeScout 易受 CSS 注入影响，通过邮箱签名中的存储样式标签 (CSRF Token 窃取)

该CSRF漏洞源于FreeScout在处理mailbox签名时，未能正确过滤<style>标签。攻击者可以利用此漏洞构造恶意的CSS代码，通过POST请求修改mailbox设置，并将恶意代码注入到签名中。由于CSP允许style-src * 'self' 'unsafe-inline'，注入的内联样式能够被浏览器执行。攻击者可以利用此漏洞窃取用户数据，例如通过CSS样式修改页面布局，诱导用户泄露敏感信息，或者执行其他恶意操作。该漏洞的潜在影响包括信息泄露、用户欺骗以及可能的账户接管。

Organizations using FreeScout for help desk and shared mailbox management are at risk, particularly those running versions 1.0.0 through 1.8.212. Shared hosting environments where multiple users share a FreeScout instance are especially vulnerable, as an attacker could potentially compromise the settings of one mailbox and impact other users.

• php: Examine FreeScout logs for POST requests to /mailbox/settings/{id} containing <style> tags with unusual or obfuscated content. Use grep to search for patterns like style=javascript: or style=expression.

grep 'style=javascript:' /var/log/freescout/access.log

• generic web: Monitor HTTP POST requests to /mailbox/settings/{id} for suspicious CSS content in the request body. Use a WAF or intrusion detection system to flag such requests. • generic web: Check mailbox signatures for unusual CSS patterns. Inspect the HTML source code of conversation views for injected <style> tags.

1. 2026-04-21Disclosure

   disclosure

1. 已保留2026-04-13
2. 发布日期2026-04-21
3. EPSS 更新日期2026-04-28

为了缓解CVE-2026-40497的影响，首要措施是立即升级FreeScout至1.8.213版本或更高版本。如果无法立即升级，可以考虑实施以下临时缓解措施：严格控制mailbox设置的访问权限，仅允许授权管理员和代理访问。实施严格的输入验证和输出编码，防止恶意代码注入。配置Web应用防火墙（WAF），阻止包含恶意CSS代码的请求。定期审查mailbox设置，检查是否存在异常修改。升级后，请确认通过检查mailbox签名显示，确保没有恶意CSS代码残留。