CVE-2024-28186
📋 TL;DR
This vulnerability in FreeScout exposes SMTP server credentials to authenticated users through stack traces stored in the database and accessible via a specific endpoint. Attackers can steal these credentials to send unauthorized emails from the compromised SMTP server. All FreeScout installations before version 1.8.124 are affected.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain SMTP credentials, send phishing emails or spam from the organization's legitimate email server, leading to reputational damage, credential harvesting, or malware distribution.
Likely Case
Authenticated users or attackers who compromise user accounts access SMTP credentials and use them for unauthorized email sending.
If Mitigated
Limited to authenticated users only, with monitoring detecting unusual email sending patterns.
🎯 Exploit Status
Exploitation requires authenticated access to the application; the vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.124
Vendor Advisory: https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-7wcq-2qmv-mvcm
Restart Required: Yes
Instructions:
1. Backup your FreeScout installation and database. 2. Download version 1.8.124 or later from the official repository. 3. Replace the existing files with the updated version. 4. Run any database migrations if required. 5. Restart the web server (e.g., Apache, Nginx).
🔧 Temporary Workarounds
Disable stack trace logging
allModify application configuration to prevent storing complete stack traces in the database.
Edit the FreeScout configuration file to set error logging to exclude stack traces or store them securely.
Restrict access to vulnerable endpoint
linuxUse web server rules or application firewalls to block access to /conversation/ajax-html/send_log.
In Apache: <Location "/conversation/ajax-html/send_log"> Require all denied </Location>
In Nginx: location /conversation/ajax-html/send_log { deny all; }
🧯 If You Can't Patch
- Change SMTP credentials immediately and monitor for unauthorized use.
- Implement network segmentation to restrict SMTP server access to only trusted IPs.
🔍 How to Verify
Check if Vulnerable:
Check if the application version is below 1.8.124 by viewing the version in the admin panel or checking the application files.Check Version:
Check the version in the FreeScout admin interface or inspect the application's version file if available.Verify Fix Applied:
After upgrading to 1.8.124 or later, confirm that stack traces no longer contain SMTP credentials by testing the endpoint or reviewing logs.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /conversation/ajax-html/send_log endpoint
- Failed SMTP authentication attempts with stolen credentials
Network Indicators:
- Unexpected outbound SMTP traffic from the application server
SIEM Query:
source="freescout_logs" AND (url="/conversation/ajax-html/send_log" OR message="SMTP authentication failed")🔗 References
- https://github.com/freescout-helpdesk/freescout/commit/33639a89554998dcac645613130a27ac7872605e
- https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-7wcq-2qmv-mvcm
- https://github.com/freescout-helpdesk/freescout/commit/33639a89554998dcac645613130a27ac7872605e
- https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-7wcq-2qmv-mvcm
