FreeScout Broken Access Control Vulnerability in Thread Editing Allows Unauthorized Message Modification

A broken access control vulnerability has been identified in FreeScout versions through 1.8.208. The issue resides in the ThreadPolicy::edit() method, where any authenticated user can read and modify all customer-created thread messages across all mailboxes, regardless of their role or mailbox access. This vulnerability bypasses the entire mailbox permission model, allowing for silent modification of customer messages, which could be considered evidence tampering. Additionally, it constitutes a violation of GDPR compliance.

Impact

Exploitation of this vulnerability leads to unauthorized access and modification of customer email data across all mailboxes, bypassing mailbox permissions and causing a GDPR compliance violation.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/conversation/ajax' endpoint with the action 'load_edit_thread' to read customer thread messages. To modify a message, the user can send a request to the same endpoint with the action 'save_edit_thread', including the thread ID and the payload to overwrite the message. The vulnerability can be exploited by any authenticated user, as the access control checks are flawed.

Remediation

Users can update to FreeScout version 1.8.209, which addresses the vulnerability by adding the necessary mailbox access checks. Instructions for updating can be found in the FreeScout release notes on GitHub.