CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-48472: FreeScout Vulnerable to Insufficient Authorization

6.9 CVSS

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.

Classification

CVE ID: CVE-2025-48472

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: freescout-help-desk

Product: freescout

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.69% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48472
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f62r-8354-8pqg
https://github.com/freescout-help-desk/freescout/commit/01c91d2086ddd56778698e557138a178b2f59916

Timeline

2025-05-29 16:40:15 UTC
CVE

FreeScout Vulnerable to Insufficient Authorization