CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48488 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48488
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2m76-538h-7hf9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48880 – FreeScout has Race Condition When Deleting Users
https://notcve.org/view.php?id=CVE-2025-48880
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181. • https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48875 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48875
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181. • https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48489 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48489
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jqjf-f566-485j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48487 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48487
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wg2q-m2fj-x6j4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48486 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48486
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting (XSS) vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and __, allowing user input to be executed without proper filtering. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9jpm-xrpc-cv66 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48485 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48485
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-556q-w535-xxg8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48484 – FreeScout Vulnerable to Stored XSS
https://notcve.org/view.php?id=CVE-2025-48484
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. This issue has been patched in version 1.8.178. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w3j9-7fhq-m8x7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48483 – FreeScout Stored XSS leads to CSRF
https://notcve.org/view.php?id=CVE-2025-48483
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Additionally, if an administr... • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-g2vq-qwx2-pc2m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48482 – FreeScout Has Business Logic Errors
https://notcve.org/view.php?id=CVE-2025-48482
30 May 2025 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, there is a mass assignment vulnerability. The Customer object is updated using the fill() method, which processes fields such as channel and channel_id. However, the fill() method is called with all client-provided data, including unexpected values for channel and channel_id, leading to a mass assignment vulnerability. This issue has been patched in version 1.8.180. • https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7fjp-538q-9vrf • CWE-841: Improper Enforcement of Behavioral Workflow •