FreeScout, a PHP Laravel-based help desk application, had a vulnerability in its FetchEmails command prior to version 1.8.220. The email processing pipeline uses two code paths to identify agent replies based on email headers. The notification reply path extracts thread_id and user_id directly from the Message-ID header without HMAC verification, enabling an attacker who can spoof a helpdesk agent's From address to inject messages that FreeScout processes as legitimate agent replies. These messages are then automatically forwarded to customers via the legitimate SMTP server. This flaw constitutes an authentication bypass by spoofing (CWE-290) and improper validation of input (CWE-345). The vulnerability is fixed in version 1.8.220.

An attacker capable of spoofing the From address of a helpdesk agent can send crafted emails that FreeScout incorrectly processes as legitimate agent replies. This can lead to unauthorized messages being sent to customers from the legitimate SMTP server, potentially causing misinformation, phishing, or reputational damage. The vulnerability impacts confidentiality and integrity of communications but does not affect availability. The CVSS 3.1 score is 7.5 (High), reflecting network attack vector, high impact on integrity, and low impact on confidentiality.

Upgrade FreeScout to version 1.8.220 or later, where this vulnerability is fixed. There is no indication of an official temporary workaround or mitigation other than applying the update. Patch status is not explicitly stated in the vendor advisory but the description confirms the issue is fixed in 1.8.220. Users should verify they are running this version or newer to remediate the vulnerability.