FreeScout Remote Code Execution Vulnerability via Deserialization of Untrusted Data

A remote code execution vulnerability has been identified in FreeScout versions through 1.8.185. This issue arises from the deserialization of untrusted data, allowing authenticated attackers who know the application's APP_KEY to execute arbitrary code. The vulnerability is exploited through a specific endpoint where the 'customer_id' and 'timestamp' parameters are improperly validated, enabling the crafting of malicious serialized PHP objects that can trigger command execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FreeScout is hosted.

Reproduction

To reproduce this vulnerability, send a GET request to the '/help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}' endpoint. The 'customer_id' and 'timestamp' parameters should be crafted to include a serialized payload that, when deserialized, executes arbitrary commands on the server. Knowledge of the application's APP_KEY is required to successfully exploit this vulnerability.

Remediation

Users can upgrade to FreeScout version 1.8.186 or later to address this vulnerability.