CVE-2024-28186

Summary

CVE-2024-28186 is a vulnerability affecting the open-source help desk and shared inbox solution, FreeScout, built with PHP. The issue lies in the application's storage of complete stack traces of exceptions in its database. This data inadvertently discloses sensitive SMTP server credentials to users via the `/conversation/ajax-html/send_log` endpoint. An attacker can exploit this vulnerability by gaining unauthorized access to these credentials, potentially leading to unauthorized email access and subsequent targeted attacks on both application users and the organization. To mitigate the risk, it is recommended that users upgrade to version 1.8.124, or implement measures such as avoiding complete stack trace storage, implementing redaction mechanisms, and enhancing logging practices.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.