FreeScout Business Logic Error Vulnerability Allowing Unauthorized Mailbox Attribute Modification

A business logic error vulnerability has been identified in FreeScout versions prior to 1.8.180. This vulnerability allows users to access certain functional capabilities without completing the required sequence of actions, enabling unauthorized modifications to Mailbox object attributes. Specifically, users can exploit this issue to change various mailbox settings, including email, name, and server details, without proper validation or authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in mailbox settings, potentially allowing for misuse of shared mailbox functionalities or help desk operations.

Reproduction

The vulnerability can be reproduced by an authorized user with specific rights, such as editing email signatures or general mailbox information. By sending a POST request to the mailbox settings endpoint, the user can include unauthorized fields in the request, such as 'in_server' or 'auto_reply' parameters, depending on the rights assigned. The application will process these requests without proper validation, allowing the user to modify attributes that should not be accessible.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.