Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.
AnalysisAI
FreeScout prior to version 1.8.214 permits authenticated users to modify hidden customer profiles through email-based object reuse in the customer creation endpoint. By supplying an email address already associated with a hidden customer via POST /customers/ajax?action=create, an attacker can bypass unique-email validation and populate that customer's empty profile fields with arbitrary data, enabling account takeover or data manipulation without administrative privileges.
Technical ContextAI
FreeScout's customer management system implements a 'Create a new customer' flow accessible through the Change Customer modal. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), where the endpoint validates input based on email uniqueness but fails to enforce visibility restrictions. When a duplicate email is submitted, the application reuses the existing Customer object rather than rejecting the request, allowing authenticated users to modify fields belonging to customers outside their normal authorization scope. The vulnerability is confined to the POST /customers/ajax endpoint with action=create parameter and affects the customer profile object instantiation logic in Customer::create().
RemediationAI
Upgrade FreeScout to version 1.8.214 or later immediately. The vendor has released a patched version that restores unique-email validation and prevents object reuse from hidden customer records. Users unable to upgrade immediately should restrict access to the customer management interface by limiting authenticated user roles - specifically disable or remove the customer creation permission from non-administrative accounts. Additionally, monitor POST requests to /customers/ajax?action=create for suspicious email parameters or requests from unexpected user roles. No additional compensating controls are available short of patching, as the vulnerability is inherent to the endpoint logic.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24185