FreeScout Assigned-Only Conversation Visibility Vulnerability

A vulnerability in FreeScout prior to version 1.8.215 allows assigned-only users to access conversations that should be hidden. While the assigned-only restriction is enforced in direct conversation views and folder queries, it fails to apply to non-folder query builders. As a result, global searches and AJAX filter requests can inadvertently reveal these concealed conversations.

Impact

This vulnerability allows assigned-only conversations to be discovered through global search and AJAX filter paths, despite being hidden in direct conversation views.

Reproduction

To reproduce this vulnerability, log in as a non-assignee agent with access to the FreeScout application. Ensure that the '.env' file is configured to show only assigned conversations. After logging in, attempt to access a hidden conversation directly, which should result in a '403 Forbidden' response. Next, perform a global search or use the AJAX filter path to search for the same conversation. The search results will include the hidden conversation, along with details such as the subject and customer information, despite the direct view being blocked.

Remediation

Users can update to FreeScout version 1.8.215 or later, where this vulnerability has been fixed.