CVE-2025-48475

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180.

CVSS

No CVSS.

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/1f154ce039618ed5abd960c97619c23534c0717a
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-xvch-f75c-8w8q

Configurations

No configuration.

History

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.180, el sistema no permitía verificar qué "clientes" podía ver y editar un usuario autorizado, y cuáles no. Por lo tanto, un usuario autorizado que no tuviera acceso a ninguno de los buzones ni a las conversaciones existentes, sí podía ver y editar los clientes del sistema. La limitación de la visibilidad de los clientes se podía implementar mediante la opción "limit_user_customer_visibility"; sin embargo, en los casos especificados, no se verificaba su presencia. Este problema se solucionó en la versión 1.8.180.

29 May 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-29 17:15

Updated : 2025-05-30 16:31

NVD link : CVE-2025-48475

Mitre link : CVE-2025-48475

CVE.ORG link : CVE-2025-48475

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-48475", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-29T17:15:21.720", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/1f154ce039618ed5abd960c97619c23534c0717a", "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-xvch-f75c-8w8q", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which \"clients\" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.180, el sistema no permit\u00eda verificar qu\u00e9 \"clientes\" pod\u00eda ver y editar un usuario autorizado, y cu\u00e1les no. Por lo tanto, un usuario autorizado que no tuviera acceso a ninguno de los buzones ni a las conversaciones existentes, s\u00ed pod\u00eda ver y editar los clientes del sistema. La limitaci\u00f3n de la visibilidad de los clientes se pod\u00eda implementar mediante la opci\u00f3n \"limit_user_customer_visibility\"; sin embargo, en los casos especificados, no se verificaba su presencia. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.180."}], "lastModified": "2025-05-30T16:31:03.107", "sourceIdentifier": "security-advisories@github.com"}