Artem Danilov

**Name of the Vulnerable Software and Affected Versions** FreeScout versions 1.8.185 and earlier **Description** FreeScout is a help desk and shared inbox built with PHP’s Laravel framework. Versions prior to 1.8.186 contain a deserialization of untrusted data issue that allows authenticated attackers with knowledge of the application's `APP KEY` to achieve remote code execution. The vulnerability is exploited via the `/help/{mailbox id}/auth/{customer id}/{hash}/{timestamp}` endpoint, where the `customer id` and `timestamp` parameters are processed through the `decrypt` function in `app/Helper.php` without proper validation. The code decrypts using Laravel's built-in encryption functions, which subsequently deserialize the decrypted payload without sanitization, allowing attackers to craft malicious serialized PHP objects to trigger arbitrary command execution. **Recommendations** Upgrade to FreeScout version 1.8.186 or later.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 1.5.0 **Description** Netmaker, which utilizes WireGuard, has an issue where the Authorize middleware does not properly validate host JWT tokens. When host authentication is permitted (`hostAllowed=true`), a valid host token circumvents authorization checks without confirming the host's access rights to the requested resource. This allows entities with knowledge of object identifiers (node IDs, host IDs) to construct requests using a valid host token to access, modify, or delete resources belonging to other hosts. The following **API endpoints** are affected: node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. The vulnerable parameter is the host JWT token. **Recommendations** Update to version 1.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 1.5.0 **Description** Netmaker, which utilizes WireGuard, has an issue where the user update handler does not properly validate role assignments. Specifically, an administrator-role user can assign the super-admin role to another user via the `PUT /api/users/{username}` API endpoint. The system prevents an administrator from assigning the administrator role, but lacks a similar check for the super-admin role. The vulnerable parameter is `username`. **Recommendations** Update to version 1.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 1.5.0 **Description** Netmaker, a networking tool utilizing WireGuard, contains an issue where a user with the platform-user role can access WireGuard private keys for all configurations within a network. This occurs through the use of specific API endpoints without proper filtering based on user ownership. The affected **API Endpoints** are `/api/extclients/{network}` and `/api/nodes/{network}`. The issue allows unauthorized retrieval of sensitive data, including WireGuard private keys, despite UI restrictions intended to limit visibility. The variable `{network}` represents the network identifier. **Recommendations** Update to version 1.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.186 **Description** FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). Versions prior to 1.8.186 contain a critical deserialization vulnerability in the `/conversation/ajax` endpoint. Authenticated users with knowledge of the `APP KEY` can achieve remote code execution. The vulnerability occurs when the application processes the `attachments all` and `attachments` POST parameters through the `Helper::decrypt()` function, which performs unsafe deserialization of user-controlled data without proper validation. This allows attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. **Recommendations** Update to version 1.8.186 or later.

**Name of the Vulnerable Software and Affected Versions** Laravel Translation Manager versions prior to 0.6.8 **Description** The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. **Recommendations** For versions prior to 0.6.8, update to version 0.6.8 to resolve the issue. As a temporary workaround, consider restricting access to the translation manager to minimize the risk of exploitation. Additionally, ensure that all user-input data is properly validated and sanitized to prevent malicious activities.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The application incorrectly checks user access rights for conversations. Users with `show only assigned conversations` enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider disabling the feature that allows users to assign themselves to conversations until the update is applied. Restrict access to the mailbox to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The system does not provide a check on which clients an authorized user can view and edit. As a result, an authorized user without access to existing mailboxes or conversations can view and edit the system's clients. The limitation of client visibility can be implemented by the `limit user customer visibility` setting, but there is no check for the presence of this setting in certain scenarios. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider implementing the `limit user customer visibility` setting to restrict client visibility. Restrict access to client editing features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The application's logic allows access to a functional capability without correctly completing one or more actions in the required sequence. This issue leaves the attributes of the Mailbox object able to be changed by the `fill` method. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the Mailbox object's attributes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to insufficient input validation during user creation, resulting in a mass assignment vulnerability. This vulnerability allows an attacker to manipulate all fields of the object, which are enumerated in the `$fillable` array (the User object), when creating a new user. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to user creation functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue concerns the laravel-translation-manager package in FreeScout, which does not correctly validate user input. This enables the deletion of any directory, given sufficient access rights. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to patch the vulnerability in the laravel-translation-manager package. As a temporary workaround, consider restricting access rights to minimize the risk of unauthorized directory deletion.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an authorized user with the administrator role or the privilege `User::PERM EDIT USERS` to create a user and specify the path to the user's avatar as `../.htaccess` during creation. After creating the user, the user's avatar can be deleted, resulting in the deletion of the `.htaccess` file in the `/storage/app/public` folder. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting the `User::PERM EDIT USERS` privilege to prevent unauthorized users from creating or deleting users. Additionally, restrict access to the `/storage/app/public` folder to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an attacker with an unactivated email invitation containing the `invite hash` to self-activate their account, even if it is blocked or deleted. This is achieved by leveraging the invitation link from the email to gain initial access to the account. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the invitation link from unactivated email invitations until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to a mass assignment vulnerability in the Customer object, which is updated using the `fill()` method. This method processes fields such as `channel` and `channel id`, but it is called with all client-provided data, including unexpected values for these fields, leading to the vulnerability. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting the use of the `fill()` method to prevent mass assignment until the patch is applied. Avoid using unexpected values for `channel` and `channel id` in the affected object until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.178 **Description** The issue is related to insufficient validation of user-supplied data, which is used as arguments to string formatting functions. This allows an attacker to pass a string containing special symbols (`r`, ` `, `t`) to the application. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.8.178, update to version 1.8.178 to resolve the issue. As a temporary workaround, consider restricting the input of special symbols (`r`, ` `, `t`) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.178 **Description** The issue is related to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. **Recommendations** For versions prior to 1.8.178, update to version 1.8.178 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is caused by a lack of input validation and sanitization in both `Session::flash` and other areas, allowing user input to be executed without proper filtering. This results in a cross-site scripting (XSS) issue. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider disabling the `Session::flash` function until a patch is available. Restrict access to areas where user input is not properly sanitized to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** FreeScout is a free self-hosted help desk and shared mailbox. The issue arises when creating a translation of a phrase that appears in a flash-message after a completed action, allowing the injection of a payload to exploit an XSS vulnerability. This problem has been corrected in version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the translation feature for creating phrases that appear in flash-messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This allows attackers to execute malicious scripts on the application. The problem has been patched in version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider implementing additional data validation and sanitization measures to minimize the risk of exploitation. Restrict access to sensitive areas of the application until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an attacker to upload an HTML file containing malicious JavaScript code to the server, resulting in a Cross-Site Scripting (XSS) vulnerability. This occurs when the .htaccess file is deleted prior to version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the server to prevent malicious file uploads until the update is applied. Additionally, avoid deleting the .htaccess file to minimize the risk of exploitation.