{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41192/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41192"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["medium"],"_cs_tags":["freescout","attachment-deletion","cve-2026-41192"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to an unauthorized attachment deletion vulnerability in versions prior to 1.8.215. This flaw stems from the application's trust in client-supplied encrypted attachment IDs during reply and draft processes. An attacker with access to a mailbox conversation can exploit this by obtaining encrypted attachment IDs and replaying them through the \u003ccode\u003esave_draft\u003c/code\u003e functionality. The lack of proper validation allows the attacker to trigger the \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e function, leading to the deletion of the original attachment row and file. This vulnerability was addressed in FreeScout version 1.8.215. Exploitation can result in data loss and disruption of service for affected FreeScout users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a FreeScout mailbox with visible conversations containing attachments.\u003c/li\u003e\n\u003cli\u003eAttacker inspects the HTML source or API responses of a conversation to obtain encrypted attachment IDs. These IDs are associated with legitimate attachments within the conversation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003esave_draft\u003c/code\u003e request, including the replayed encrypted attachment IDs in the \u003ccode\u003eattachments_all[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker omits these replayed IDs from any retained attachment lists within the \u003ccode\u003esave_draft\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eFreeScout processes the \u003ccode\u003esave_draft\u003c/code\u003e request and decrypts the attachment IDs present in \u003ccode\u003eattachments_all[]\u003c/code\u003e but absent from the retained lists.\u003c/li\u003e\n\u003cli\u003eThe decrypted IDs are passed to the \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e function without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e executes, deleting the original attachment row and the corresponding file from the FreeScout server.\u003c/li\u003e\n\u003cli\u003eThe victim user finds that the attachment has been deleted from the conversation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41192) allows an attacker to delete attachments from FreeScout conversations without proper authorization. The number of potential victims depends on the number of FreeScout installations and the number of users with access to shared mailboxes. This can lead to data loss, disruption of business processes that rely on those attachments, and a potential loss of trust in the help desk system. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout installations to version 1.8.215 or later to patch CVE-2026-41192.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to monitor and block suspicious \u003ccode\u003esave_draft\u003c/code\u003e requests containing potentially replayed attachment IDs (cs-uri-query, cs-method from webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout application logs for calls to \u003ccode\u003eAttachment::deleteByIds()\u003c/code\u003e originating from unusual IP addresses or user agents (application logs).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious patterns in web server logs indicative of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/","summary":"FreeScout versions prior to 1.8.215 are vulnerable to unauthorized attachment deletion, allowing a malicious mailbox peer to delete attachments by replaying encrypted attachment IDs in the `save_draft` flow.","title":"FreeScout Unauthorized Attachment Deletion Vulnerability (CVE-2026-41192)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-41192","version":"https://jsonfeed.org/version/1.1"}