FreeScout User Account Enumeration Vulnerability via Password Reset Response Differentiation

A user account enumeration vulnerability has been identified in FreeScout versions prior to 1.8.219. The issue arises in the password reset endpoint, which returns different responses based on whether the submitted email address belongs to an existing user. This discrepancy allows unauthenticated attackers to identify valid helpdesk agent email addresses. The vulnerability is present in FreeScout, a help desk and shared inbox application built with PHP's Laravel framework.

Impact

Exploitation of this vulnerability allows for the enumeration of valid helpdesk agent email addresses. This harvested information could be used for targeted phishing attacks, such as credential phishing or social engineering. Additionally, according to the FreeScout advisory, valid agent emails are needed to exploit a separate agent impersonation vulnerability.

Reproduction

To reproduce this vulnerability, send a password reset request to the FreeScout application. If the email address exists, the response will include a success message with the CSS class 'alert alert-success'. If the email address does not exist, the response will contain an error message with the class 'form-group has-error'. This difference in response allows for easy automated enumeration of valid email addresses.

Remediation

Users are advised to update FreeScout to version 1.8.219 or later. Additionally, implementing a rate limit on password reset requests could help mitigate the risk of enumeration.