FreeScout Permanent Unauthenticated Account Takeover Vulnerability via Leaked Invite Hash

A vulnerability in FreeScout prior to version 1.8.217 allows for permanent, unauthenticated account takeover by exploiting the user setup endpoint. The endpoint accepts a 60-character invite hash to reset a user's password but lacks an expiration check, leaving the hash valid indefinitely. This flaw can be exploited months or years after the invite is sent, especially if the hash is leaked through forwarded emails, server logs, or shared inboxes. If an admin's invite hash is compromised, the attacker gains admin access.

Impact

Exploitation of this vulnerability leads to permanent, unauthenticated account takeover. If an admin's invite hash is leaked, the attacker gains admin privileges. The vulnerability also allows for the creation of additional admin accounts after takeover.

Reproduction

To reproduce this vulnerability, first obtain a leaked invite hash from a realistic leakage vector such as a shared inbox or server log. Then, send a POST request to the '/user-setup/{hash}' endpoint with the invite hash and a new password. After the request is processed, log in with the new password to access the account. This vulnerability can be verified by checking the user's invite state and hash in the database, which will show that the invite has been activated and the hash consumed.

Remediation

Users can update to FreeScout version 1.8.217 or later, where this vulnerability has been patched. The update is available on the FreeScout GitHub repository.