Daniil Satyaev

**Name of the Vulnerable Software and Affected Versions** FreeScout versions 1.8.185 and earlier **Description** FreeScout is a help desk and shared inbox built with PHP’s Laravel framework. Versions prior to 1.8.186 contain a deserialization of untrusted data issue that allows authenticated attackers with knowledge of the application's `APP KEY` to achieve remote code execution. The vulnerability is exploited via the `/help/{mailbox id}/auth/{customer id}/{hash}/{timestamp}` endpoint, where the `customer id` and `timestamp` parameters are processed through the `decrypt` function in `app/Helper.php` without proper validation. The code decrypts using Laravel's built-in encryption functions, which subsequently deserialize the decrypted payload without sanitization, allowing attackers to craft malicious serialized PHP objects to trigger arbitrary command execution. **Recommendations** Upgrade to FreeScout version 1.8.186 or later.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.186 **Description** FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). Versions prior to 1.8.186 contain a critical deserialization vulnerability in the `/conversation/ajax` endpoint. Authenticated users with knowledge of the `APP KEY` can achieve remote code execution. The vulnerability occurs when the application processes the `attachments all` and `attachments` POST parameters through the `Helper::decrypt()` function, which performs unsafe deserialization of user-controlled data without proper validation. This allows attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. **Recommendations** Update to version 1.8.186 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 141 Thunderbird versions prior to 140.1 Firefox versions prior to 141 Firefox ESR versions prior to 140.1 **Description** Thunderbird and Firefox incorrectly handled path validation during frame navigations. This issue could potentially allow for malicious actions due to improper navigation checks within a frame. **Recommendations** Update Thunderbird to version 141 or later. Update Thunderbird to version 140.1 or later. Update Firefox to version 141 or later. Update Firefox ESR to version 140.1 or later.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 140 Firefox ESR versions prior to 128.12 Description: The issue arises when a file download is specified via the `Content-Disposition` header, but this directive is ignored if the file is included via an `<embed>` or `<object>` tag. This could make a website vulnerable to a cross-site scripting attack. The vulnerability is related to the HTTP Header Handler component of Mozilla Firefox and Firefox ESR, which fails to protect the web page structure when handling the `Content-Disposition` parameter. Exploitation of this vulnerability could allow a remote attacker to conduct cross-site scripting attacks. Recommendations: For Firefox versions prior to 140, update to version 140 or later to resolve the issue. For Firefox ESR versions prior to 128.12, update to version 128.12 or later to resolve the issue. As a temporary workaround, consider disabling the use of `<embed>` and `<object>` tags in web pages until the issue is resolved. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Laravel Translation Manager versions prior to 0.6.8 **Description** The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. **Recommendations** For versions prior to 0.6.8, update to version 0.6.8 to resolve the issue. As a temporary workaround, consider restricting access to the translation manager to minimize the risk of exploitation. Additionally, ensure that all user-input data is properly validated and sanitized to prevent malicious activities.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.179 **Description** The issue allows users to view arbitrary messages from other mailboxes or conversations they do not have access to, due to a lack of checks when creating a conversation from a message in another conversation. The access restriction to conversations, implemented by the `show only assigned conversations` setting, is also not checked. **Recommendations** For versions prior to 1.8.179, update to version 1.8.179 to resolve the issue. As a temporary workaround, consider restricting access to conversations by carefully managing the `show only assigned conversations` setting until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The application incorrectly checks user access rights for conversations. Users with `show only assigned conversations` enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider disabling the feature that allows users to assign themselves to conversations until the update is applied. Restrict access to the mailbox to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The system does not provide a check on which clients an authorized user can view and edit. As a result, an authorized user without access to existing mailboxes or conversations can view and edit the system's clients. The limitation of client visibility can be implemented by the `limit user customer visibility` setting, but there is no check for the presence of this setting in certain scenarios. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider implementing the `limit user customer visibility` setting to restrict client visibility. Restrict access to client editing features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The application's logic allows access to a functional capability without correctly completing one or more actions in the required sequence. This issue leaves the attributes of the Mailbox object able to be changed by the `fill` method. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the Mailbox object's attributes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to insufficient input validation during user creation, resulting in a mass assignment vulnerability. This vulnerability allows an attacker to manipulate all fields of the object, which are enumerated in the `$fillable` array (the User object), when creating a new user. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to user creation functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue concerns the laravel-translation-manager package in FreeScout, which does not correctly validate user input. This enables the deletion of any directory, given sufficient access rights. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to patch the vulnerability in the laravel-translation-manager package. As a temporary workaround, consider restricting access rights to minimize the risk of unauthorized directory deletion.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an authorized user with the administrator role or the privilege `User::PERM EDIT USERS` to create a user and specify the path to the user's avatar as `../.htaccess` during creation. After creating the user, the user's avatar can be deleted, resulting in the deletion of the `.htaccess` file in the `/storage/app/public` folder. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting the `User::PERM EDIT USERS` privilege to prevent unauthorized users from creating or deleting users. Additionally, restrict access to the `/storage/app/public` folder to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an attacker with an unactivated email invitation containing the `invite hash` to self-activate their account, even if it is blocked or deleted. This is achieved by leveraging the invitation link from the email to gain initial access to the account. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the invitation link from unactivated email invitations until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.178 **Description** The issue is related to insufficient validation of user-supplied data, which is used as arguments to string formatting functions. This allows an attacker to pass a string containing special symbols (`r`, ` `, `t`) to the application. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.8.178, update to version 1.8.178 to resolve the issue. As a temporary workaround, consider restricting the input of special symbols (`r`, ` `, `t`) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Additionally, if an administrator accesses one of these emails with a modified signature, it could result in a subsequent Cross-Site Request Forgery (CSRF) vulnerability. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to mail signatures or disabling the feature that allows users to modify their signatures until the update is applied. Avoid using the application's mail signature feature with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.178 **Description** The issue is related to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. **Recommendations** For versions prior to 1.8.178, update to version 1.8.178 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is caused by a lack of input validation and sanitization in both `Session::flash` and other areas, allowing user input to be executed without proper filtering. This results in a cross-site scripting (XSS) issue. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider disabling the `Session::flash` function until a patch is available. Restrict access to areas where user input is not properly sanitized to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** FreeScout is a free self-hosted help desk and shared mailbox. The issue arises when creating a translation of a phrase that appears in a flash-message after a completed action, allowing the injection of a payload to exploit an XSS vulnerability. This problem has been corrected in version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the translation feature for creating phrases that appear in flash-messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue is related to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This allows attackers to execute malicious scripts on the application. The problem has been patched in version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider implementing additional data validation and sanitization measures to minimize the risk of exploitation. Restrict access to sensitive areas of the application until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.180 **Description** The issue allows an attacker to upload an HTML file containing malicious JavaScript code to the server, resulting in a Cross-Site Scripting (XSS) vulnerability. This occurs when the .htaccess file is deleted prior to version 1.8.180. **Recommendations** For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the server to prevent malicious file uploads until the update is applied. Additionally, avoid deleting the .htaccess file to minimize the risk of exploitation.