FreeScout Account Activation Bypass Vulnerability via Unactivated Invitation Links

A business logic vulnerability has been identified in FreeScout, a self-hosted help desk and shared mailbox application, prior to version 1.8.180. This vulnerability allows an attacker to self-activate a blocked or deleted account by exploiting an unactivated email invitation containing an invite hash. The invitation link can be used to bypass the application's workflow requirements and gain access to the account.

Impact

Exploitation of this vulnerability allows for unauthorized account activation, bypassing restrictions on blocked or deleted accounts.

Reproduction

To reproduce this vulnerability, obtain an unactivated invitation email that includes the invite hash. Then, use the invitation link to access the user setup endpoint, including the invite hash in the request. Fill out the required fields, such as email, password, job title, phone, timezone, time format, and status. Submit the request to activate the account.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.