CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48481 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48481
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link from the email to gain initial access to the account. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jgj2-x749-5wc7 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48480 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48480
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-pfjf-43mp-3gp2 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48479 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48479
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-627h-pc3c-w68h • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48478 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48478
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/commit/d2048f59a899dbcfc9a71bb98549ead81cdb62a5 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48477 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48477
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application's logic requires the user to perform a correct sequence of actions to implement a functional capability, but the application allows access to the functional capability without correctly completing one or more actions in the sequence. The leaves the attributes of Mailbox object able to be changed by the fill method. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2c82-qx7x-35h8 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48476 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48476
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7h5m-q39p-h849 • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48475 – FreeScout Vulnerable to Insufficient Authorization
https://notcve.org/view.php?id=CVE-2025-48475
29 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility s... • https://github.com/freescout-help-desk/freescout/commit/1f154ce039618ed5abd960c97619c23534c0717a • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48474 – FreeScout Vulnerable to Insufficient Authorization
https://notcve.org/view.php?id=CVE-2025-48474
29 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/commit/87cdb65d6b632b5292bcac2d7a209f6e36ae51d7 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48473 – FreeScout Vulnerable to Insufficient Authorization
https://notcve.org/view.php?id=CVE-2025-48473
29 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been p... • https://github.com/freescout-help-desk/freescout/commit/2552a2b84248824b73c35b2699aa86da644eea1a • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48472 – FreeScout Vulnerable to Insufficient Authorization
https://notcve.org/view.php?id=CVE-2025-48472
29 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179. • https://github.com/freescout-help-desk/freescout/commit/01c91d2086ddd56778698e557138a178b2f59916 • CWE-863: Incorrect Authorization •