Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the load_customer_info action in POST /conversation/ajax returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.
AnalysisAI
FreeScout versions prior to 1.8.213 expose complete customer PII through an authentication bypass in the load_customer_info action of POST /conversation/ajax, allowing any authenticated user to retrieve sensitive profile data for arbitrary customers by providing only a valid email address. The vulnerability affects the authorization layer rather than authentication, enabling lateral access to customer records across mailboxes without proper access control verification.
Technical ContextAI
FreeScout is a self-hosted help desk application built on Laravel. The vulnerability exists in the /conversation/ajax endpoint's load_customer_info action, which processes POST requests to fetch customer profile information. The underlying issue is a broken access control flaw (CWE-639) where the endpoint verifies that a user is authenticated (PR:L in CVSS vector) but fails to validate whether that authenticated user has permission to access the specific customer's mailbox or account. This is a classic authorization bypass where authentication is checked but authorization (mailbox membership) is not. The attacker can enumerate customer records by submitting valid email addresses, as no rate-limiting or additional validation gates the retrieval.
RemediationAI
Vendor-released patch: FreeScout version 1.8.213 or later. Upgrade immediately by pulling the latest release from the official FreeScout GitHub repository (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213) or applying the upstream fix from commit f35b4249c72d9bdac6ab1ea4e288f5894be34057. If immediate patching is not possible, implement access control validation in the /conversation/ajax endpoint to verify that the authenticated user belongs to the mailbox associated with the requested customer record before returning profile data. Additionally, audit FreeScout user access logs to identify any suspicious cross-mailbox customer information lookups during the period before patching. Consider temporarily restricting non-administrative user access to the /conversation/ajax endpoint if business operations permit.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24173