FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's "MailboxesController". Three AJAX actions "fetch_test" (line 731), "send_test" (line 682), and "imap_folders" (line 773) in "app/Http/Controllers/MailboxesController.php" pass admin-configured "in_server"/"in_port" and "out_server"/"out_port" values directly to "fsockopen()" via "Helper::checkPort()" and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own "sanitizeRemoteUrl()" or "checkUrlIpAndHost()" functions. The validation block in "connectionIncomingSave()" is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via "fsockopen()") and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's "log" field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at "169[.]254[.]169[.]254" can be probed and partial response data may be leaked through protocol error messages. This is distinct from the "sanitizeRemoteUrl()" redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.