FreeScout Mass Assignment Vulnerability in Customer Object Allowing Workflow Bypass

A mass assignment vulnerability has been identified in FreeScout versions prior to 1.8.180. This vulnerability allows authorized users to bypass required actions in the application's workflow logic when editing customer details. The issue arises because the 'fill()' method updates the Customer object with all client-provided data, including unexpected values for the 'channel' and 'channel_id' fields. As a result, users can manipulate these fields and potentially access features or functionalities they should not be able to.

Impact

Exploitation of this vulnerability could lead to unauthorized access to functional features by bypassing established workflow requirements.

Reproduction

To reproduce this vulnerability, an authorized user can send a POST request to the '/customers/{customer_id}/edit' endpoint. The request must include the 'channel_id' parameter with a value that the user wishes to assign. The 'fill()' method will process this unexpected value, leading to the mass assignment vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.