CVE-2025-48482

EUVD-2025-16450

30.05.2025, 05:15

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, there is a mass assignment vulnerability. The Customer object is updated using the fill() method, which processes fields such as channel and channel_id. However, the fill() method is called with all client-provided data, including unexpected values for channel and channel_id, leading to a mass assignment vulnerability. This issue has been patched in version 1.8.180.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
freescout	freescout	𝑥 < 1.8.180

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7fjp-538q-9vrf

Common Weakness Enumeration

CWE-841 - Improper Enforcement of Behavioral Workflow
The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7fjp-538q-9vrf