Spoo1K

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.212 Description FreeScout, a help desk and shared inbox built with Laravel, is affected by an issue where the GET `/thread/read/{conversation id}/{thread id}` API endpoint does not require authentication and lacks validation to ensure the `thread id` belongs to the specified `conversation id`. This allows an unauthenticated attacker to mark any thread as read using arbitrary IDs, enumerate valid thread IDs through HTTP response codes (200 vs 404), and manipulate `opened at` timestamps across conversations. This is an IDOR (Insecure Direct Object Reference) issue. Recommendations Upgrade to FreeScout version 1.8.212 or later.