CVE-2025-48476

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.180

Description The issue is related to a mass-assignment vulnerability. When adding and editing user records using the fill() method, there is no check for the absence of the password field in the user data. This allows a user with permission to edit other users to change their password and log in with the set password.

Recommendations For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the fill() method for user record editing to minimize the risk of exploitation.