FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

授权机制缺失

FreeScout 安全漏洞

FreeScout是FreeScout公司的一个使用 PHP（Laravel 框架）构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.215之前版本存在安全漏洞，该漏洞源于回复和草稿流程信任客户端提供的加密附件ID，可能导致邮箱同行通过save_draft重放ID，删除原始附件行和文件。

N/A

N/A