FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation.
The issue has been fixed in version 1.8.209.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Freescout Freescout
cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
|
— |
1.8.209
|
References 3
https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0…
security-advisories@github.com
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209
security-advisories@github.com
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-…
security-advisories@github.com