Fr0Z863Xf

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.219 **Description** The password reset endpoint returns visually distinct responses based on whether the submitted email address is associated with an existing user account. This allows unauthenticated attackers to enumerate valid helpdesk agent email addresses. **Recommendations** Update to version 1.8.219.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.220 **Description** The email processing pipeline in the `FetchEmails` command contains two code paths for identifying agent replies using In-Reply-To and References headers. The notification reply path (notify-`thread id`-`user id`-...) extracts the `thread id` and `user id` directly from the Message-ID without HMAC (Hash-based Message Authentication Code) verification. This allows an external attacker to spoof the From address of a helpdesk agent and inject messages that are processed as legitimate agent replies, which are then automatically forwarded to customers via the legitimate SMTP server. **Recommendations** Update to version 1.8.220.