CVE-2025-48476
HIGHDescription
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180.
Is your site exposed to CVE-2025-48476?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| freescout | freescout |
References
Frequently Asked Questions
What is CVE-2025-48476? +
How severe is CVE-2025-48476? +
What products are affected by CVE-2025-48476? +
How do I check if I'm vulnerable to CVE-2025-48476? +
Related Vulnerabilities
User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous …
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a …
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification …
Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful …
Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful …
Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status …