CVE-2025-48473

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179.

CVSS

No CVSS.

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/2552a2b84248824b73c35b2699aa86da644eea1a
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3x75-7856-r794

Configurations

No configuration.

History

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.179, al crear una conversación a partir de un mensaje de otra, no se verificaba que el usuario pudiera ver dicho mensaje. Por lo tanto, el usuario podía ver mensajes arbitrarios de otros buzones o conversaciones a las que no tenía acceso (la restricción de acceso a las conversaciones se implementa mediante la opción "show_only_assigned_conversations", que tampoco está activada). Este problema se ha corregido en la versión 1.8.179.

29 May 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-29 16:15

Updated : 2025-05-30 16:31

NVD link : CVE-2025-48473

Mitre link : CVE-2025-48473

CVE.ORG link : CVE-2025-48473

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-48473", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-29T16:15:41.077", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/2552a2b84248824b73c35b2699aa86da644eea1a", "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3x75-7856-r794", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.179, al crear una conversaci\u00f3n a partir de un mensaje de otra, no se verificaba que el usuario pudiera ver dicho mensaje. Por lo tanto, el usuario pod\u00eda ver mensajes arbitrarios de otros buzones o conversaciones a las que no ten\u00eda acceso (la restricci\u00f3n de acceso a las conversaciones se implementa mediante la opci\u00f3n \"show_only_assigned_conversations\", que tampoco est\u00e1 activada). Este problema se ha corregido en la versi\u00f3n 1.8.179."}], "lastModified": "2025-05-30T16:31:03.107", "sourceIdentifier": "security-advisories@github.com"}