Unrated severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025

FreeScout Has Business Logic Errors

CVE-2025-48476

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180.

Affected products

Freescout/Freescoutv5
Range: < 1.8.180

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/freescout-help-desk/freescout/security/advisories/GHSA-7h5m-q39p-h849mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000