CVE-2025-48478 - Vulnerability Details

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Freescout	Freescout

Configuration 1 [-]

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/freescout-help-desk/freescout/commit/d2048f59a899dbcfc9a71bb98549ead81cdb62a5
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fqjj-79j2-8qx6

History

Wed, 04 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Freescout freescout
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:freescout:freescout::::::::
Vendors & Products		Freescout Freescout freescout
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Fri, 30 May 2025 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 30 May 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180.
Title		FreeScout Has Business Logic Errors
Weaknesses		CWE-841
References		https://github.com/freescout-help-desk/freescout/commit/d2048f59a899dbcfc9a71bb98549ead81cdb62a5 https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fqjj-79j2-8qx6
Metrics		cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-05-30T04:32:12.553Z

Updated: 2025-05-30T22:01:24.683Z

Reserved: 2025-05-22T12:11:39.118Z

Link: CVE-2025-48478

Vulnrichment

Updated: 2025-05-30T14:40:26.223Z

NVD

Status : Analyzed

Published: 2025-05-30T05:15:22.460

Modified: 2025-06-04T15:36:13.370

Link: CVE-2025-48478

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object