https://feed.craftedsignal.io/tags/freescout/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-freescout-privesc/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freescout-privesc/FreeScout versions before 1.8.214 are vulnerable to privilege escalation, allowing a low-privileged agent to reassign email addresses from hidden customers to visible customers, leading to information disclosure and unauthorized access to conversations.FreeScout is a self-hosted help desk and shared mailbox system. A critical vulnerability, identified as CVE-2026-40589, exists in versions prior to 1.8.214. This flaw allows a low-privileged agent to escalate their privileges by manipulating customer records. Specifically, an agent can edit a visible customer’s profile and add an email address that is already associated with a hidden customer in a different mailbox. This results in the disclosure of the hidden customer’s name and profile URL within the application’s success flash message. Additionally, the vulnerable server reassigns the hidden customer’s email address to the visible customer and rebinds all conversations from the hidden mailbox associated with that email address to the visible customer. The vulnerability was patched in version 1.8.214. This poses a significant risk to organizations using affected versions of FreeScout, as it can lead to unauthorized access to sensitive customer data and communication.

Attack Chain

1. A low-privileged agent logs into the FreeScout instance.
2. The agent selects a visible customer within their accessible mailbox.
3. The agent attempts to edit the visible customer’s profile.
4. The agent adds an email address to the visible customer’s profile that is already associated with a hidden customer in another mailbox, which the agent would normally not have access to.
5. The server validates the request and, due to the vulnerability, allows the reassignment of the email address.
6. The server discloses the hidden customer’s name and profile URL in the success flash message displayed to the agent.
7. The server reassigns the hidden customer’s email address to the visible customer in the database.
8. All conversations previously associated with the hidden customer’s email address are now accessible to the agent through the visible customer’s profile, leading to unauthorized access of customer conversations.

Impact

Successful exploitation of CVE-2026-40589 can lead to a significant breach of confidentiality and integrity within a FreeScout instance. A low-privileged agent can gain unauthorized access to sensitive customer data, including names, profile URLs, and entire conversation histories. This can result in the compromise of customer privacy, potential regulatory violations, and damage to the organization’s reputation. The number of potential victims is directly proportional to the number of customers and mailboxes within the affected FreeScout instance.

Recommendation

• Upgrade FreeScout instances to version 1.8.214 or later to remediate CVE-2026-40589 as mentioned in the overview.
• Deploy the Sigma rule “FreeScout Hidden Customer Data Disclosure” to detect attempts to exploit this vulnerability in web server logs.
• Monitor FreeScout application logs for unusual activity related to customer profile modifications.
• Implement strict access control policies within FreeScout to minimize the potential impact of compromised agent accounts.

]]>mediumadvisoryprivilege-escalationcve-2026-40589freescouthttps://feed.craftedsignal.io/briefs/2026-04-freescout-mass-assignment/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freescout-mass-assignment/FreeScout versions prior to 1.8.213 contain a mass assignment vulnerability allowing authenticated admins to modify sensitive mailbox settings by injecting parameters into connection settings requests, leading to email exfiltration and account compromise.FreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a mass assignment flaw (CVE-2026-40569) in versions prior to 1.8.213. The vulnerability resides in the connectionIncomingSave() and connectionOutgoingSave() methods within app/Http/Controllers/MailboxesController.php. These methods lack proper input validation, allowing an authenticated administrator to overwrite critical mailbox settings by injecting arbitrary parameters into legitimate connection setting update requests. Attackers can modify fields like auto_bcc, out_server, out_password, signature, auto_reply_enabled, and auto_reply_message. This issue allows malicious actors to silently surveil communications, redirect SMTP traffic, inject malicious content, and persistently compromise email accounts. The impact is particularly severe in multi-admin environments or when an admin session is compromised through other means (e.g., XSS). FreeScout version 1.8.213 addresses this vulnerability.

Attack Chain

1. An attacker gains authenticated access to the FreeScout admin panel, either through legitimate credentials or by exploiting another vulnerability (e.g., XSS).
2. The attacker navigates to the mailbox connection settings page.
3. The attacker crafts a legitimate request to update connection settings, such as IMAP or SMTP server details.
4. The attacker injects malicious parameters into the request, such as auto_bcc=attacker@evil.com, which are not directly exposed in the connection settings form.
5. The FreeScout application, due to the mass assignment vulnerability in connectionIncomingSave() or connectionOutgoingSave(), processes the injected parameters and updates the corresponding mailbox settings in the database.
6. When auto_bcc is set, every outgoing email from the compromised mailbox is silently BCC’d to the attacker-controlled email address via the SendReplyToCustomer job.
7. Alternatively, the attacker could modify the out_server and out_password fields to redirect outgoing SMTP traffic through an attacker-controlled server.
8. The attacker gains persistent access to all outgoing email from the affected mailbox, enabling data exfiltration or further malicious activities like phishing.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of FreeScout mailboxes. An attacker could silently exfiltrate sensitive email communications, potentially impacting hundreds or thousands of users depending on the size of the organization. The injected parameters persist even after the initial attack, providing long-term access. This is especially dangerous in organizations that handle sensitive customer data or financial information. The ability to redirect SMTP traffic and inject malicious content further amplifies the risk, potentially leading to widespread phishing campaigns and reputational damage.

Recommendation

• Upgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40569 immediately.
• Implement strict input validation and sanitization for all user-supplied data, particularly in the connectionIncomingSave() and connectionOutgoingSave() methods, to prevent mass assignment vulnerabilities.
• Review existing FreeScout installations for any unauthorized modifications to mailbox settings, specifically focusing on auto_bcc, out_server, out_password, signature, auto_reply_enabled, and auto_reply_message fields (requires direct database inspection).
• Monitor FreeScout webserver logs for POST requests to /mailboxes/*/connection/incoming-save and /mailboxes/*/connection/outgoing-save endpoints containing unexpected parameters to detect potential exploitation attempts (see example Sigma rule below).
• Enable webserver logging and ensure that POST request bodies are captured to facilitate investigation and detection.

]]>highadvisoryfreescoutmass-assignmentvulnerabilityemail-exfiltrationhttps://feed.craftedsignal.io/briefs/2026-04-freescout-authz-bypass/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freescout-authz-bypass/FreeScout versions before 1.8.215 are vulnerable to an incorrect authorization issue where users without conversation access can edit customer threads due to a flaw in the `ThreadPolicy::edit()` function.FreeScout, a self-hosted help desk and shared mailbox platform, is affected by an authorization bypass vulnerability. Specifically, versions prior to 1.8.215 fail to properly restrict access to customer threads within conversations. The vulnerability resides in the ThreadPolicy::edit() function, which checks mailbox access but neglects to enforce the ConversationPolicy’s assigned-only restriction. This allows a user who should not have access to a conversation to still load and modify customer-authored threads contained within that conversation. Upgrading to version 1.8.215 resolves this vulnerability. This allows unauthorized modification of customer communications, potentially leading to data breaches or manipulated customer service interactions.

Attack Chain

1. Attacker gains access to a FreeScout user account with limited privileges.
2. Attacker attempts to access a conversation thread for which they lack explicit authorization.
3. The application’s ThreadPolicy::edit() function is invoked to authorize the edit action.
4. The ThreadPolicy::edit() function incorrectly authorizes the action by only checking mailbox access, bypassing the ConversationPolicy’s assigned-only restriction.
5. The attacker successfully loads the customer-authored thread, gaining unauthorized access.
6. Attacker modifies the content of the customer-authored thread.
7. The modified thread is saved, altering the conversation history.
8. The change impacts communications with the customer.

Impact

This vulnerability (CVE-2026-41189) allows unauthorized users to modify customer communications within the FreeScout help desk platform. Successful exploitation can lead to data integrity issues, potentially impacting all customer conversations within the affected FreeScout instance. The severity is heightened by the potential for attackers to manipulate sensitive information, leading to reputational damage, legal ramifications, and loss of customer trust.

Recommendation

• Upgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41189.
• Monitor FreeScout web server logs for unauthorized access attempts using the provided Sigma rule.
• Review user access controls and ensure that the principle of least privilege is enforced to limit the impact of potential compromises.
• Implement the provided Sigma rule to detect potential unauthorized thread editing attempts based on HTTP request patterns.

]]>mediumadvisoryfreescoutauthorizationvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-freescout-css-injection/Tue, 21 Apr 2026 03:16:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freescout-css-injection/FreeScout versions prior to 1.8.213 are vulnerable to CSS injection via the mailbox signature, allowing an attacker with mailbox settings access to exfiltrate CSRF tokens and escalate privileges.FreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a CSS injection vulnerability (CVE-2026-40497) in versions prior to 1.8.213. The vulnerability resides within the Helper::stripDangerousTags() function, which inadequately sanitizes the mailbox signature field. While the function removes <script>, <form>, <iframe>, and <object> tags, it fails to strip <style> tags. An attacker with access to mailbox settings, either an administrator or an agent with sufficient permissions, can inject malicious CSS code into the signature field via POST requests to /mailbox/settings/{id}. This injected CSS is then rendered unescaped in conversation views using {!! $conversation->getSignatureProcessed([], true) !!}. The application’s CSP, which allows style-src * 'self' 'unsafe-inline', enables the execution of injected inline styles. This vulnerability allows attackers to exfiltrate CSRF tokens and ultimately escalate privileges.

Attack Chain

1. Attacker gains access to FreeScout with agent or admin privileges and permission to modify mailbox settings.
2. Attacker navigates to the mailbox settings page.
3. Attacker injects malicious CSS code, including CSS attribute selectors designed to exfiltrate CSRF tokens, into the mailbox signature field via a POST request to /mailbox/settings/{id}. The injected CSS leverages style-src * 'self' 'unsafe-inline' in the Content Security Policy.
4. The FreeScout server saves the malicious signature to the database.
5. A victim (another agent or admin) views a conversation within the affected mailbox, causing the malicious signature to be rendered via {!! $conversation->getSignatureProcessed([], true) !!}.
6. The injected CSS executes in the victim’s browser and exfiltrates the CSRF token, potentially via a DNS request or HTTP request to an attacker-controlled server (not detailed in source).
7. The attacker uses the stolen CSRF token to perform unauthorized actions on behalf of the victim.
8. The attacker escalates privileges by creating new admin accounts or modifying existing user credentials.

Impact

Successful exploitation of this vulnerability allows an attacker to escalate privileges from an agent to an administrator within the FreeScout platform. This could lead to a complete compromise of the help desk system. An attacker could create new administrator accounts, modify existing user credentials, access sensitive customer data, and potentially disrupt the entire help desk operation. While the exact number of potentially affected FreeScout instances is unknown, all installations prior to version 1.8.213 are vulnerable if an attacker gains valid access.

Recommendation

• Upgrade FreeScout to version 1.8.213 or later to apply the updated fix for CVE-2026-40497.
• Implement the Sigma rule “FreeScout Suspicious Mailbox Signature Update” to detect attempts to inject CSS into the mailbox signature field.
• Monitor web server logs for POST requests to /mailbox/settings/{id} and inspect the request body for <style> tags or suspicious CSS syntax to potentially detect attempted exploitation (webserver log source).

]]>highadvisoryfreescoutcss-injectionprivilege-escalationcve-2026-40497https://feed.craftedsignal.io/briefs/2026-02-freescout-rce/Wed, 25 Feb 2026 14:05:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-freescout-rce/Critical vulnerabilities, CVE-2026-27636 and CVE-2026-27637, exist in FreeScout Help Desk that could be exploited to achieve remote code execution, potentially leading to data exfiltration and system compromise.<p>FreeScout, a popular open-source help desk solution, is affected by two critical vulnerabilities, CVE-2026-27636 and CVE-2026-27637. Disclosed in February 2026, these vulnerabilities can be exploited independently or chained to achieve remote code execution. CVE-2026-27636 stems from insufficient file upload restrictions, while CVE-2026-27637 relates to predictable authentication tokens. Successful exploitation allows attackers to execute arbitrary system commands, read/write files, pivot to…</p> criticaladvisoryfreescoutrcevulnerabilityapache