FreeScout Mass Assignment Vulnerability in Mailbox Connection Settings Allows Email Exfiltration

A mass assignment vulnerability has been identified in FreeScout versions prior to 1.8.213. The issue resides in the mailbox connection settings endpoints, specifically within the 'connectionIncomingSave' and 'connectionOutgoingSave' methods of the MailboxesController. These methods directly pass all request parameters to the Mailbox model without any field allowlisting, enabling an authenticated admin to overwrite critical fields, including 'auto_bcc', 'out_server', 'out_password', 'signature', 'auto_reply_enabled', and 'auto_reply_message'. The vulnerability can be exploited by injecting hidden parameters into the connection settings save request, with the 'auto_bcc' injection allowing for silent exfiltration of outgoing emails to the attacker. This exploitation is particularly concerning in environments with multiple admins, as it enables one admin to monitor mailboxes managed by others without detection.

Impact

Exploitation of this vulnerability allows an authenticated admin to silently overwrite any of the 32 fillable fields in the Mailbox model, with a particular focus on the 'auto_bcc' field. This injection is invisible on the connection settings page, yet results in all outgoing emails from the affected mailbox being BCC'd to the attacker. Additionally, the same exploitation method could be used to redirect outgoing SMTP through an attacker-controlled server, inject malicious links or tracking pixels into email signatures, or enable custom auto-replies, all from a single HTTP request.

Reproduction

To reproduce this vulnerability, log into FreeScout as an admin user and navigate to the connection settings for a mailbox. The 'auto_bcc' field will not be visible on the connection settings form. After locating the CSRF token, inject 'auto_bcc=attacker@evil.com' into the POST request body. This can be done through the browser console, by intercepting the request with Burp Suite, or by sending a direct curl request. Once the request is sent, the 'auto_bcc' injection can be verified by checking the general mailbox settings page, where it will now appear. To confirm exploitation, send an outgoing email from the affected mailbox and check for BCC'd copies sent to the injected email address.

Remediation

Users can update to FreeScout version 1.8.213 or later, where this vulnerability has been fixed.