<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-41192 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-41192/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-41192/feed.xml" rel="self" type="application/rss+xml"/><item><title>FreeScout Unauthorized Attachment Deletion Vulnerability (CVE-2026-41192)</title><link>https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freescout-attachment-deletion/</guid><description>FreeScout versions prior to 1.8.215 are vulnerable to unauthorized attachment deletion, allowing a malicious mailbox peer to delete attachments by replaying encrypted attachment IDs in the `save_draft` flow.</description><content:encoded><![CDATA[<p>FreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to an unauthorized attachment deletion vulnerability in versions prior to 1.8.215. This flaw stems from the application's trust in client-supplied encrypted attachment IDs during reply and draft processes. An attacker with access to a mailbox conversation can exploit this by obtaining encrypted attachment IDs and replaying them through the <code>save_draft</code> functionality. The lack of proper validation allows the attacker to trigger the <code>Attachment::deleteByIds()</code> function, leading to the deletion of the original attachment row and file. This vulnerability was addressed in FreeScout version 1.8.215. Exploitation can result in data loss and disruption of service for affected FreeScout users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a FreeScout mailbox with visible conversations containing attachments.</li>
<li>Attacker inspects the HTML source or API responses of a conversation to obtain encrypted attachment IDs. These IDs are associated with legitimate attachments within the conversation.</li>
<li>The attacker crafts a malicious <code>save_draft</code> request, including the replayed encrypted attachment IDs in the <code>attachments_all[]</code> parameter.</li>
<li>The attacker omits these replayed IDs from any retained attachment lists within the <code>save_draft</code> request.</li>
<li>FreeScout processes the <code>save_draft</code> request and decrypts the attachment IDs present in <code>attachments_all[]</code> but absent from the retained lists.</li>
<li>The decrypted IDs are passed to the <code>Attachment::deleteByIds()</code> function without proper validation.</li>
<li><code>Attachment::deleteByIds()</code> executes, deleting the original attachment row and the corresponding file from the FreeScout server.</li>
<li>The victim user finds that the attachment has been deleted from the conversation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-41192) allows an attacker to delete attachments from FreeScout conversations without proper authorization. The number of potential victims depends on the number of FreeScout installations and the number of users with access to shared mailboxes. This can lead to data loss, disruption of business processes that rely on those attachments, and a potential loss of trust in the help desk system. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade FreeScout installations to version 1.8.215 or later to patch CVE-2026-41192.</li>
<li>Implement web application firewall (WAF) rules to monitor and block suspicious <code>save_draft</code> requests containing potentially replayed attachment IDs (cs-uri-query, cs-method from webserver logs).</li>
<li>Monitor FreeScout application logs for calls to <code>Attachment::deleteByIds()</code> originating from unusual IP addresses or user agents (application logs).</li>
<li>Deploy the provided Sigma rule to detect suspicious patterns in web server logs indicative of exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>freescout</category><category>attachment-deletion</category><category>cve-2026-41192</category></item></channel></rss>