CVE-2025-48474

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180.

CVSS

No CVSS.

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/87cdb65d6b632b5292bcac2d7a209f6e36ae51d7
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9wc4-vchw-mr3m

Configurations

No configuration.

History

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.180, la aplicación verificaba incorrectamente los derechos de acceso de los usuarios a las conversaciones. Los usuarios con la opción "show_only_assigned_conversations" habilitada podían asignarse a una conversación arbitraria desde el buzón al que tenían acceso, eludiendo así la restricción de visualización de conversaciones. Este problema se ha corregido en la versión 1.8.180.

29 May 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-29 16:15

Updated : 2025-05-30 16:31

NVD link : CVE-2025-48474

Mitre link : CVE-2025-48474

CVE.ORG link : CVE-2025-48474

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-48474", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-29T16:15:41.273", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/87cdb65d6b632b5292bcac2d7a209f6e36ae51d7", "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9wc4-vchw-mr3m", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.180, la aplicaci\u00f3n verificaba incorrectamente los derechos de acceso de los usuarios a las conversaciones. Los usuarios con la opci\u00f3n \"show_only_assigned_conversations\" habilitada pod\u00edan asignarse a una conversaci\u00f3n arbitraria desde el buz\u00f3n al que ten\u00edan acceso, eludiendo as\u00ed la restricci\u00f3n de visualizaci\u00f3n de conversaciones. Este problema se ha corregido en la versi\u00f3n 1.8.180."}], "lastModified": "2025-05-30T16:31:03.107", "sourceIdentifier": "security-advisories@github.com"}