Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's MailboxesController. Three AJAX actions fetch_test (line 731), send_test (line 682), and imap_folders (line 773) in app/Http/Controllers/MailboxesController.php pass admin-configured in_server/in_port and out_server/out_port values directly to fsockopen() via Helper::checkPort() and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own sanitizeRemoteUrl() or checkUrlIpAndHost() functions. The validation block in connectionIncomingSave() is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via fsockopen()) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's log field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at 169[.]254[.]169[.]254 can be probed and partial response data may be leaked through protocol error messages. This is distinct from the sanitizeRemoteUrl() redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
AnalysisAI
Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.
Technical ContextAI
FreeScout's mailbox configuration includes IMAP and SMTP server settings that administrators can customize. The vulnerability exists in three AJAX endpoints (fetch_test, send_test, imap_folders) within app/Http/Controllers/MailboxesController.php that call Helper::checkPort() and instantiate IMAP/SMTP client connections using admin-supplied in_server, in_port, out_server, and out_port parameters. These parameters are passed directly to PHP's fsockopen() function and mail protocol libraries without any validation against IP address ranges, private subnets, or localhost. The root cause is absent input validation (CWE-918: Server-Side Request Forgery) combined with commented-out validation logic in connectionIncomingSave(). The codebase includes defensive functions like sanitizeRemoteUrl() and checkUrlIpAndHost() that are deliberately not called in these code paths. In cloud deployments, the metadata endpoint at 169.254.169.254 becomes attackable, potentially leaking credential tokens or instance metadata through protocol error messages captured in debug logs.
RemediationAI
Upgrade FreeScout immediately to version 1.8.213 or later, which includes input validation for IMAP and SMTP server addresses. The patch adds IP validation and hostname restriction logic to the three vulnerable AJAX endpoints. Organizations unable to upgrade immediately should implement network-level compensating controls: restrict outbound TCP connections from the FreeScout server to only authorized mail servers using host-based firewall rules or network segmentation (blocking access to private IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, and 169.254.0.0/16), disable the AJAX mailbox test features via web server rules if not in use, and limit admin role assignment to trusted users only. See GitHub security advisory GHSA-fg98-rgx6-8x4g and commit efe82e31b4a0d4c0b20025d09df0615e8139ff08 for implementation details.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24167