FreeScout Race Condition Vulnerability in User Deletion Process

A race condition vulnerability has been identified in FreeScout, a self-hosted help desk and shared mailbox application, prior to version 1.8.181. This issue occurs when an administrative user attempts to delete another user, potentially allowing for concurrent modifications that could disrupt the deletion process. The vulnerability is present in versions 1.8.173 and 1.8.174, specifically within the '/users/ajax' endpoint, where the 'user_id' and 'action' parameters can be exploited.

Impact

Exploitation of this vulnerability could lead to improper user deletion, particularly in cases involving administrative accounts.

Reproduction

To reproduce this vulnerability, an administrator must send two simultaneous requests to the '/users/ajax' endpoint, each targeting a different user. The requests should include the 'user_id' and 'action' parameters, with the action set to 'delete_user'. This can be done using a tool that allows for the sending of concurrent HTTP requests, such as a custom script or a web application testing tool.

Remediation

Users can update to FreeScout version 1.8.181 or later, where this vulnerability has been patched.