FreeScout SSRF Vulnerability via Improper CIDR Check in IP Validation Function

A server-side request forgery (SSRF) vulnerability has been identified in FreeScout versions prior to 1.8.211. The issue arises in the 'checkIpByMask()' function within 'app/Misc/Helper.php', where the function incorrectly validates IP addresses. It only checks for the presence of a '/' character, which means plain IP addresses are always deemed invalid. As a result, the function fails to recognize CIDR ranges, leaving the entire 10.0.0.0/8 and 172.16.0.0/12 private IP ranges unprotected. This vulnerability can be exploited by crafting an email with a remote attachment URL that points to an internal API, bypassing the CIDR check and potentially leading to unauthorized access or actions on the server.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server into making requests on their behalf. This could be used to access internal services or APIs that are not exposed to the public.

Reproduction

To reproduce this vulnerability, send an email to a FreeScout account that includes a URL pointing to an internal API or service within the unprotected CIDR ranges, such as 10.0.0.0/8 or 172.16.0.0/12. FreeScout will process the email and fetch the URL, bypassing the CIDR check and potentially accessing internal resources.

Remediation

Users should update FreeScout to version 1.8.211 or later, where this vulnerability has been patched.