FreeScout Insufficient Authorization Vulnerability Allowing Unauthorized Access to Client Information

A vulnerability exists in FreeScout versions prior to 1.8.180, where the system fails to properly verify which clients an authorized user can view and edit. This oversight allows users without access to any mailboxes or conversations to manipulate client information. Although the application includes a setting to limit client visibility, this vulnerability arises because the setting is not enforced in the affected scenarios.

Impact

Exploitation of this vulnerability allows unauthorized users to access and modify client information, potentially leading to incorrect data management and privacy concerns.

Reproduction

To reproduce this vulnerability, an authorized user can send a POST request to the '/customers/{customer_id}/edit' endpoint, including the customer_id parameter. The request can be made without the necessary permissions, as the system does not check if the user is allowed to access or edit the specified client.

Remediation

Users can update to FreeScout version 1.8.180 or later, where this vulnerability has been patched.