FreeScout Assigned-Only Mode Bypass Vulnerability in Draft Saving Feature

A vulnerability exists in FreeScout versions prior to 1.8.215, allowing users to bypass the assigned-only conversation view restriction. When the 'APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS' setting is enabled, the application correctly blocks users who are neither the assignee nor the creator from accessing certain conversations. However, the 'save_draft' AJAX endpoint does not enforce this restriction properly. A direct POST request can be used to create a draft in a conversation that is not visible to the user, effectively injecting hidden content into the conversation.

Impact

This vulnerability allows users to inject draft messages into conversations they cannot access, disrupting the intended privacy and assignment controls.

Reproduction

To reproduce this vulnerability, enable the 'APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS' setting and ensure that the 'APP_LIMIT_USER_CUSTOMER_VISIBILITY' setting is also active. Log in as a user who is not the assignee or creator of a conversation that is assigned to another user. Attempt to access the conversation directly, which will be blocked due to permission restrictions. Then, send a POST request to the 'save_draft' AJAX endpoint, including the ID of the hidden conversation and the draft content. The response will confirm the successful creation of the draft, which can then be verified by checking the database.

Remediation

Users can update to FreeScout version 1.8.215 or later, where this vulnerability has been fixed.