FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`,…

FreeScout versions prior to 1.8.213 contain a CSS injection vulnerability in the mailbox signature field. The Helper::stripDangerousTags() function fails to remove <style> tags, allowing attackers with mailbox access to inject malicious CSS. This enables CSRF token exfiltration through CSS attribute selectors when admins or agents view conversations. Attackers can use stolen tokens to perform privilege escalation from agent to admin by creating admin accounts or changing credentials. This vulnerability results from an incomplete fix of a previous XSS issue (GHSA-jqjf-f566-485j).