FreeScout, a self‑hosted help‑desk platform, allows a low‑privileged agent to create a phone conversation with attacker‑controlled values for customer_id, name, to_email and phone. Because the backend does not enforce mailbox‑scoped customer visibility, the agent can associate the new conversation with a hidden customer that belongs to another mailbox and add an alias email to that hidden customer record. The flaw permits unauthorized modification of customer data across mailbox boundaries, compromising data integrity and potentially exposing sensitive customer information. The weakness is identified as CWE‑639.

The affected product is FreeScout Help Desk (freescout‑help‑desk). All deployments running any version before 1.8.214 are vulnerable. Version 1.8.214 and later contain a fix that validates customer visibility before creating the conversation.

The CVSS score is 7.1, indicating a high severity vulnerability. Exploitation requires an authenticated user with low privileges within the application, so the attack vector is an authenticated, in‑application user, not remote code execution. Because the Exploit Prediction Scoring System data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, the current likelihood of active exploitation in the wild appears to be moderate. However, the potential for cross‑mailbox data tampering warrants prompt remediation.