CVE-2025-48476

CVSS v3.1

8.8

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.180

Description The issue is related to a mass-assignment vulnerability. When adding and editing user records using the

fill()

method, there is no check for the absence of the

password

field in the user data. This allows a user with permission to edit other users to change their password and log in with the set password.

Recommendations For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the

fill()

method for user record editing to minimize the risk of exploitation.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-841

Related Identifiers

BDU:2025-06952

CVE-2025-48476

GHSA-7H5M-Q39P-H849

Affected Products

Freescout

CVE-2025-48476

Weakness Enumeration

Related Identifiers

Affected Products

References · 9