FreeScout URL Validation Vulnerability Allowing Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in FreeScout versions prior to 1.8.217. The issue arises in the `Helper::sanitizeRemoteUrl()` function, which incorrectly re-validates the original URL after following HTTP redirects. This flaw allows an attacker to redirect FreeScout to internal HTTP services, such as cloud metadata or internal APIs, that would typically be inaccessible. Exploitation can be achieved by sending an email with an inline image that points to an attacker-controlled redirector, bypassing authentication requirements.

Impact

Exploitation of this vulnerability could lead to unauthorized access of internal HTTP services, cloud metadata, and internal APIs, allowing for potential reconnaissance or data exfiltration. When combined with the inbound email attachment processing, this vulnerability can be exploited with no authentication.

Reproduction

The vulnerability can be reproduced by sending an email to a FreeScout help desk with an inline image whose URL points to a server controlled by the attacker. This server should be set up to respond with a 302 redirect to an internal-only HTTP service. FreeScout will follow the redirect, but due to the vulnerability, it will not properly validate the final destination, allowing access to the internal service.

Remediation

Users can update to FreeScout version 1.8.217 or later, where this vulnerability has been patched.