CVE-2024-28186

FreeScout is an open source help desk and shared inbox built with PHP.

A vulnerability has been identified in the Free Scout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the /conversation/ajax-html/send_log?folder_id=&thread_id={id} endpoint. The stack trace reveals value of parameters, including the username and password, passed to the Swift_Transport_Esmtp_Auth_LoginAuthenticator->authenticate() function. Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. This could lead