Skip to main content

CVE-2025-48475: CWE-863: Incorrect Authorization in freescout-help-desk freescout

Medium
VulnerabilityCVE-2025-48475cvecve-2025-48475cwe-863
Published: Thu May 29 2025 (05/29/2025, 16:27:43 UTC)
Source: CVE Database V5
Vendor/Project: freescout-help-desk
Product: freescout

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180.

AI-Powered Analysis

AILast updated: 07/07/2025, 23:10:43 UTC

Technical Analysis

CVE-2025-48475 is an authorization vulnerability identified in FreeScout, a free self-hosted help desk and shared mailbox system. The issue affects versions prior to 1.8.180. The core problem lies in the system's failure to properly enforce access control checks on which clients an authorized user can view and edit. Specifically, even users who are authorized but do not have explicit access to any mailboxes or conversations can still view and modify client information. This occurs because the setting limit_user_customer_visibility, which is intended to restrict client visibility, is not checked in certain scenarios, allowing unauthorized access to client data. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system does not correctly enforce permissions. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network without user interaction, requires low privileges (an authorized user), and results in limited confidentiality and integrity impact but no availability impact. The issue was patched in FreeScout version 1.8.180. No known exploits are currently reported in the wild. The vulnerability could allow unauthorized users within an organization to access and modify client data they should not have access to, potentially leading to data leakage, unauthorized data manipulation, and undermining trust in the help desk system's integrity.

Potential Impact

For European organizations using FreeScout versions prior to 1.8.180, this vulnerability poses a risk of unauthorized internal data exposure and modification. Since FreeScout is often used to manage customer support tickets and communications, unauthorized access to client data could lead to breaches of personal data protected under GDPR, resulting in legal and regulatory consequences. The ability for an authorized user with limited privileges to escalate their access to client information could also facilitate insider threats or lateral movement within the organization. This could undermine customer trust and damage the organization's reputation. Additionally, unauthorized edits to client records could disrupt support workflows, cause misinformation, and impact service quality. The medium severity rating suggests that while the vulnerability is not critical, it still represents a significant risk that should be addressed promptly to maintain compliance and operational integrity.

Mitigation Recommendations

European organizations should immediately verify their FreeScout deployment version and upgrade to version 1.8.180 or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict access controls and audit logging to monitor user activities related to client data. Specifically, review and enforce the limit_user_customer_visibility setting to ensure it is properly configured and effective. Conduct internal access reviews to limit the number of users with authorized access to FreeScout and restrict permissions to the minimum necessary. Additionally, implement network segmentation and role-based access controls (RBAC) to reduce the risk of unauthorized access. Regularly audit logs for unusual access patterns or modifications to client data. Finally, provide training to administrators and users on the importance of access controls and monitoring to prevent exploitation of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-22T12:11:39.118Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68388f0b182aa0cae285909e

Added to database: 5/29/2025, 4:44:59 PM

Last enriched: 7/7/2025, 11:10:43 PM

Last updated: 8/18/2025, 4:25:48 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats