CVE-2025-48476 in freescoutinfo

Summary

by MITRE • 05/30/2025

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/30/2025

The vulnerability identified as CVE-2025-48476 affects FreeScout, a self-hosted help desk and shared mailbox solution that enables organizations to manage customer support workflows. This security flaw resides within the user management functionality of the application, specifically in how user records are processed when utilizing the fill() method for data manipulation. The vulnerability represents a classic mass assignment issue that has been documented under CWE-915 and aligns with ATT&CK technique T1078.004, which involves the use of valid accounts to log into systems. The flaw exists in versions prior to 1.8.180, making all earlier releases susceptible to exploitation by malicious actors who understand the application's internal data structures.

The technical implementation of this vulnerability stems from insufficient input validation within the user record modification process. When administrators or authorized users attempt to add or edit user accounts through the application's interface, the fill() method processes incoming data without proper sanitization of the password field. This absence of validation means that any user with appropriate permissions to modify other user records can potentially inject additional fields into the data structure being processed. The vulnerability exploits the application's trust in the data flow without proper verification of field integrity, allowing attackers to manipulate the password field directly through the mass assignment mechanism. This design flaw creates a path for privilege escalation attacks where unauthorized access can be achieved through legitimate administrative functions.

The operational impact of this vulnerability extends beyond simple unauthorized access as it fundamentally undermines the application's user authentication and authorization model. An attacker with access to user editing privileges can modify any user's password field within the application, effectively gaining unauthorized access to any user account within the system. This creates a significant risk for organizations relying on FreeScout for customer support management, as it allows for potential data breaches, service disruption, and unauthorized modification of sensitive information. The vulnerability also enables lateral movement within the system, as compromised accounts can be used to access additional resources or escalate privileges to administrative levels. The impact is particularly severe for organizations that rely heavily on shared mailboxes and help desk functionality, as these accounts often contain sensitive customer data and business-critical information.

Mitigation strategies for this vulnerability should focus on implementing proper input validation and field sanitization within the application's user management components. Organizations should immediately upgrade to FreeScout version 1.8.180 or later, which includes the necessary patches to address the mass assignment vulnerability. Additionally, system administrators should review and implement proper access controls to limit who can modify user accounts, following the principle of least privilege. The implementation of field-level validation should be enforced to ensure that only explicitly permitted fields can be modified through the fill() method, preventing unauthorized injection of sensitive fields like passwords. Security monitoring should be enhanced to detect unusual user account modifications, and regular security audits should be conducted to verify proper implementation of input validation mechanisms. This vulnerability serves as a reminder of the critical importance of proper data sanitization and the potential consequences of inadequate input validation in web applications.

Responsible

GitHub M

Reservation

05/22/2025

Disclosure

05/30/2025

Moderation

accepted

CPE

ready

EPSS

0.00448

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!