FreeScout Thread Edit Authorization Bypass Vulnerability

A vulnerability in FreeScout prior to version 1.8.221 allows users with the PERM_EDIT_CONVERSATIONS permission to bypass mailbox membership checks when editing conversation threads. This issue arises because the authorization process only considers authorship and a global permission flag, neglecting current mailbox access. As a result, an agent who has been removed from a mailbox can still modify thread content in conversations they can no longer access.

Impact

Exploiting this vulnerability allows a user to silently overwrite their previous messages or internal notes in conversations from which they have been removed, creating a risk of altering the audit trail of communications without detection.

Reproduction

To reproduce this vulnerability, an agent must have the PERM_EDIT_CONVERSATIONS permission and be a member of a mailbox. The agent should create a message or internal note in a conversation. Once the message is sent, an administrator can remove the agent from the mailbox. After removal, the agent can still edit the thread using an AJAX request, bypassing the missing mailbox membership check.

Remediation

Users are advised to update FreeScout to version 1.8.221 or later, where this vulnerability has been fixed.