An XSS (Cross-Site Scripting) vulnerability occurs in the thread viewer when tickets are created via the mailbox integration.

[jekill]

Description
An XSS (Cross-Site Scripting) vulnerability occurs in the thread viewer when tickets are created via the mailbox integration. If a ticket contains malicious JavaScript code, it executes upon opening the ticket in UVdesk.

How to reproduce

1. Send an email to the mailbox connected with UVdesk containing the following text in the email body:

   <script>alert('Knock knock')</script>

2. Wait for the ticket to be automatically created in UVdesk from the email.
3. Open the newly created ticket in the thread viewer.
4. Observe that the JavaScript code executes, displaying an alert message.

Possible Solution
Implement proper input sanitization and encoding for ticket content generated from emails to prevent execution of embedded scripts.
https://github.com/uvdesk/mailbox-component/blob/v1.1.3/Services/MailboxService.php#L421

Additional context
This vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the user's browser session, potentially leading to session hijacking or other malicious activities. Screenshots or logs can be provided upon request.