漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration
Vulnerability Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
FreeScout 安全漏洞
Vulnerability Description
FreeScout是FreeScout公司的一个使用 PHP(Laravel 框架)构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.212之前版本存在安全漏洞,该漏洞源于端点GET /thread/read/{conversation_id}/{thread_id}无需身份验证且未验证thread_id是否属于给定的conversation_id,可能导致未经验证的攻击者将任意线程标记为已读、枚举有效线程ID以及跨对话操作时间戳。
CVSS Information
N/A
Vulnerability Type
N/A