The vulnerability in FreeScout arises from a weak and predictable attachment‑token generation formula, md5(APP_KEY + attachment_id + size). Because attachment identifiers are sequential and the size parameter can be guessed within a small range, an attacker can fabricate valid tokens without authentication and retrieve any private attachment. This defect enables the unauthorized download of confidential documents, compromising confidentiality and potentially exposing sensitive business information. The weakness maps to CWE‑330 and CWE‑340, reflecting insecure random number generation and storage of predictable secrets.

FreeScout, a self‑hosted help‑desk and shared‑mailbox solution. Versions prior to 1.8.213 are affected. The issue occurs in the attachment download endpoint where the token is generated and validated. Users running older releases of the freescout-help-desk:freescout product are at risk, regardless of public or private ticket visibility.

The CVSS score of 8.8 classifies the flaw as high severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified from public data, but the simple brute‑force nature of the attack means a knowledgeable attacker can quickly enumerate attachment tokens. The vulnerability is not reported in CISA’s KEV catalog, but the straightforward attack path – sequential IDs, low‑range size – makes it a high‑impact concern for any system exposing private attachments. Attackers would request tokens via enumeration and download files directly, bypassing all authentication checks.