FreeScout Change Customer Modal Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in FreeScout versions prior to 1.8.214. The issue arises in the Change Customer modal, which correctly filters out-of-scope customers through the mailbox-filtered search endpoint. However, the backend conversation_change_customer action accepts any customer_email, allowing a low-privileged agent to forge a request. This exploitation can bind a visible conversation to a hidden customer in another mailbox.

Impact

Exploitation of this vulnerability allows for unauthorized binding of conversations to customers, bypassing visibility restrictions and potentially leading to mismanagement of customer interactions.

Reproduction

To reproduce this vulnerability, set the APP_LIMIT_USER_CUSTOMER_VISIBILITY variable to True. Log in as a low-privileged agent and attempt to search for a hidden customer, which should return no results. Then, manually send a request to the conversation_change_customer action, including the email of the hidden customer. The response should indicate success, and the visible conversation will be reassigned to the hidden customer.

Remediation

Users are advised to update FreeScout to version 1.8.214 or later, where this vulnerability has been patched.