FreeScout Mass Assignment Vulnerability in User Creation

A mass assignment vulnerability has been identified in FreeScout, a self-hosted help desk and shared mailbox application, prior to version 1.8.180. This vulnerability arises from inadequate input validation during user creation, allowing an attacker to manipulate all fields of the User object that are listed in the $fillable array. The issue can be exploited by users with administrative privileges or the specific permission 'User::PERM_EDIT_USERS'.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of user data, including the ability to create users with elevated privileges or access rights.

Reproduction

To reproduce this vulnerability, send a POST request to the '/users/wizard' endpoint. Include the 'first_name', 'last_name', 'email', and 'photo_url' fields, among others. The 'photo_url' field can be used to inject a path to the .htaccess file, demonstrating the ability to manipulate user data inappropriately.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.