FreeScout Customer-Thread Editing Authorization Bypass Vulnerability

A vulnerability exists in FreeScout prior to version 1.8.215, allowing users to edit customer-authored threads in conversations they cannot view. This issue arises because the `ThreadPolicy::edit()` method checks mailbox access but fails to enforce the assigned-only restriction from `ConversationPolicy`. As a result, a user can load and modify threads within hidden conversations.

Impact

This vulnerability allows users to edit customer-authored content in conversations they are blocked from viewing, undermining the integrity of the customer-thread relationship. It also bypasses assigned-only restrictions, potentially leading to unauthorized modifications of thread content.

Reproduction

To reproduce this vulnerability, log in as a non-assignee agent who does not have access to a specific conversation. Ensure that the environment is set to show only assigned conversations. Once logged in, attempt to access the hidden conversation, which should result in a 403 error. However, it is still possible to load and edit customer-authored threads within that conversation, effectively bypassing the visibility restriction.

Remediation

Users should update FreeScout to version 1.8.215 or later, where this vulnerability has been fixed.