FreeScout Customer Merge Authorization Bypass Vulnerability

A cross-mailbox authorization bypass vulnerability has been identified in FreeScout, a help desk and shared inbox application built on PHP's Laravel framework. This vulnerability affects versions prior to 1.8.212. The issue arises because the application does not properly consider the 'limit_user_customer_visibility' parameter when merging customers. As a result, non-admin users can merge customers from mailboxes they should not have access to, leading to unauthorized data manipulation.

Impact

Exploitation of this vulnerability allows for unauthorized merging of customer profiles across different mailboxes, with destructive consequences. The target customer is permanently removed, their email is transferred to the source customer, and their conversation history is reassigned, potentially causing loss of important data.

Reproduction

To reproduce this vulnerability, log in as a non-admin user with restricted mailbox access. Attempt to merge a visible customer from the user's assigned mailbox with a hidden customer from a different mailbox using the 'POST /customers/{source_id}/merge' endpoint. The merge will be accepted despite the target customer being out of scope for the user.

Remediation

Users should update FreeScout to version 1.8.212 or later, where this vulnerability has been fixed.