Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (connectionIncomingSave() at app/Http/Controllers/MailboxesController.php:468 and connectionOutgoingSave() at line 398). Both methods pass $request->all() directly to $mailbox->fill() without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's $fillable array -- including security-critical fields that do not belong to the connection settings form, such as auto_bcc, out_server, out_password, signature, auto_reply_enabled, and auto_reply_message. Validation in connectionIncomingSave() is entirely commented out, and the validator in connectionOutgoingSave() only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., auto_bcc=attacker@evil.com) to a legitimate connection settings save request. Because the auto_bcc field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the SendReplyToCustomer job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
AnalysisAI
Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.
Technical ContextAI
This is a classic mass assignment vulnerability (CWE-284: Improper Access Control) in a Laravel-based PHP application. The affected code in MailboxesController.php uses Laravel's model mass assignment feature incorrectly by passing the entire HTTP request payload ($request->all()) directly to the Mailbox model's fill() method without allowlisting specific fields. Laravel's Eloquent ORM allows mass assignment to any field listed in a model's $fillable array-in this case, 32 different mailbox configuration fields. The vulnerability exists because the connection settings endpoints (connectionIncomingSave() and connectionOutgoingSave()) expose fillable fields that should only be modifiable through other, more restricted endpoints. The incoming connection method has validation entirely commented out, while the outgoing method only validates SMTP-specific field formats without filtering which parameters are accepted. This allows attackers to inject assignments to security-sensitive fields like auto_bcc (blind carbon copy recipients), out_server (SMTP relay server), out_password (SMTP credentials), signature (HTML email signatures), and auto_reply_message that are not part of the connection settings UI but share the same underlying model.
RemediationAI
Upgrade immediately to FreeScout version 1.8.213 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The patch implements proper input filtering in both connectionIncomingSave() and connectionOutgoingSave() methods to allowlist only connection-specific parameters, preventing injection of security-sensitive fields like auto_bcc, out_server, signature, and auto_reply settings. After upgrading, audit all existing mailbox configurations for unauthorized modifications: review auto_bcc recipients in mailbox settings, verify out_server SMTP configurations match expected values, inspect email signatures for injected content, and check auto_reply settings for unexpected messages. If immediate patching is not possible, implement application-layer Web Application Firewall rules to block POST requests to /mailbox/connection/* endpoints containing parameters outside the expected set (in_server, in_port, in_username, in_password, out_server, out_port, out_username, out_password, out_encryption)-though this is complex to maintain and may break legitimate functionality. Review admin account access logs for suspicious connection setting changes and consider temporarily restricting mailbox configuration privileges to a single trusted administrator until patching is complete. Note that manual database inspection may be required to detect historical exploitation as the injected values appear as legitimate configuration in the mailboxes table.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24171