FreeScout Attachment ID Deletion Vulnerability

A vulnerability in FreeScout prior to version 1.8.215 allows for the deletion of attachments through client-supplied encrypted attachment IDs. The issue arises because the application trusts these IDs without proper validation. When an attachment is uploaded, its encrypted ID is returned and can be intercepted by a mailbox peer. This peer can then replay the ID to delete the original attachment from the conversation, exploiting the lack of ownership checks and permissions for deletion.

Impact

This vulnerability allows any mailbox peer who can view a conversation to delete original attachments from existing threads, without any ownership or permission checks.

Reproduction

To reproduce this vulnerability, log in as a user and upload an attachment to a conversation. Then, log in as a mailbox peer who can view the conversation. Use the 'load_attachments' action to fetch the encrypted ID of the uploaded attachment. After obtaining the ID, replay it through the 'save_draft' action, omitting the 'attachments[]' parameter. This will trigger the deletion of the original attachment from the conversation.

Remediation

Users should update to FreeScout version 1.8.215 or later, where this vulnerability has been fixed.