Filtered by vendor Freescout
Subscribe
Total
30 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48473 | 1 Freescout | 1 Freescout | 2025-07-11 | N/A | 4.3 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179. | |||||
| CVE-2025-48390 | 1 Freescout | 1 Freescout | 2025-07-11 | N/A | 7.2 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to check for the presence of such a file (folder) in the file system. A user with the administrator role can create a translation for the language, which will create a folder in the file system. Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. This issue has been patched in version 1.8.178. | |||||
| CVE-2025-48389 | 1 Freescout | 1 Freescout | 2025-07-11 | N/A | 7.2 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178. | |||||
| CVE-2025-48388 | 1 Freescout | 1 Freescout | 2025-07-11 | N/A | 6.5 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an attacker can pass a string containing special symbols (\r, \n, \t)to the application. This issue has been patched in version 1.8.178. | |||||
| CVE-2025-48474 | 1 Freescout | 1 Freescout | 2025-07-02 | N/A | 8.1 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48475 | 1 Freescout | 1 Freescout | 2025-07-02 | N/A | 8.1 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48472 | 1 Freescout | 1 Freescout | 2025-06-10 | N/A | 8.1 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179. | |||||
| CVE-2025-48471 | 1 Freescout | 1 Freescout | 2025-06-10 | N/A | 9.8 CRITICAL |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. This issue has been patched in version 1.8.179. | |||||
| CVE-2025-48486 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting (XSS) vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and __, allowing user input to be executed without proper filtering. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48487 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.8 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48488 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48489 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.8 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48875 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181. | |||||
| CVE-2025-48880 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 6.6 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181. | |||||
| CVE-2025-48476 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 8.8 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48477 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 8.1 HIGH |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application's logic requires the user to perform a correct sequence of actions to implement a functional capability, but the application allows access to the functional capability without correctly completing one or more actions in the sequence. The leaves the attributes of Mailbox object able to be changed by the fill method. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48478 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.9 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48479 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 2.7 LOW |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48480 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 2.7 LOW |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48481 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 9.8 CRITICAL |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link from the email to gain initial access to the account. This issue has been patched in version 1.8.180. | |||||