FreeScout Notification Subscription Authorization Bypass Vulnerability Allowing User Impersonation

A vulnerability in FreeScout prior to version 1.8.217 allows users with the PERM_EDIT_USERS permission to read and modify the notification subscriptions of any other user, including administrators. This is achieved by sending a single POST request, exploiting an authorization bypass in the notification management feature. The issue arises because the 'update' policy, which is intended for general user profile editing, is improperly applied to notification subscriptions, allowing non-admin users to interfere with admin notification settings. As a result, an attacker could silently disable an admin's email, browser, or mobile notifications, disrupting the receipt of security alerts and conversation assignment notices.

Impact

Exploitation of this vulnerability allows for the unauthorized modification of user notification preferences, particularly affecting admin users. This could lead to the silent suppression of important security alerts and operational notifications, causing a disruption in awareness and response to critical events.

Reproduction

To reproduce this vulnerability, a user with the PERM_EDIT_USERS permission can send a POST request to the 'notificationsSave' endpoint of another user, such as an admin. This request can be made using a tool like curl, after obtaining a CSRF token. The response will indicate a successful modification of the admin's notification subscriptions, effectively clearing them.

Remediation

Users are advised to update FreeScout to version 1.8.217 or later, where this vulnerability has been patched.