FreeScout Insufficient Authorization Vulnerability Allowing Unauthorized Message Access

A vulnerability in FreeScout prior to version 1.8.179 allows users to access messages from other conversations or mailboxes without proper authorization. This issue arises when a conversation is created from a message in another conversation, as there is no verification of the user's permission to view the message. The 'show_only_assigned_conversations' setting, which controls access to conversations, is also not enforced. As a result, users can view arbitrary messages they should not have access to.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private messages or conversations, violating user privacy and potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, an authorized user can send a request to the '/mailbox/{mailbox_id}/new-ticket' endpoint, including a 'from_thread_id' parameter that references a thread the user is not permitted to view. The absence of an access check will allow the user to access the restricted message.

Remediation

Users should update to FreeScout version 1.8.179 or later, where this vulnerability has been patched.