9.1

CVE-2026-40496

Exploit

FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FreescoutFreescout Version < 1.8.213
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.32
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com 8.8 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-340 Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr
Vendor Advisory
Exploit
https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555
Patch
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213
Release Notes