CVE-2025-48475: CWE-863: Incorrect Authorization in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180.
AI Analysis
Technical Summary
CVE-2025-48475 is an authorization vulnerability identified in FreeScout, a free self-hosted help desk and shared mailbox system. The issue affects versions prior to 1.8.180. The core problem lies in the system's failure to properly enforce access control checks on which clients an authorized user can view and edit. Specifically, even users who are authorized but do not have explicit access to any mailboxes or conversations can still view and modify client information. This occurs because the setting limit_user_customer_visibility, which is intended to restrict client visibility, is not checked in certain scenarios, allowing unauthorized access to client data. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system does not correctly enforce permissions. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network without user interaction, requires low privileges (an authorized user), and results in limited confidentiality and integrity impact but no availability impact. The issue was patched in FreeScout version 1.8.180. No known exploits are currently reported in the wild. The vulnerability could allow unauthorized users within an organization to access and modify client data they should not have access to, potentially leading to data leakage, unauthorized data manipulation, and undermining trust in the help desk system's integrity.
Potential Impact
For European organizations using FreeScout versions prior to 1.8.180, this vulnerability poses a risk of unauthorized internal data exposure and modification. Since FreeScout is often used to manage customer support tickets and communications, unauthorized access to client data could lead to breaches of personal data protected under GDPR, resulting in legal and regulatory consequences. The ability for an authorized user with limited privileges to escalate their access to client information could also facilitate insider threats or lateral movement within the organization. This could undermine customer trust and damage the organization's reputation. Additionally, unauthorized edits to client records could disrupt support workflows, cause misinformation, and impact service quality. The medium severity rating suggests that while the vulnerability is not critical, it still represents a significant risk that should be addressed promptly to maintain compliance and operational integrity.
Mitigation Recommendations
European organizations should immediately verify their FreeScout deployment version and upgrade to version 1.8.180 or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict access controls and audit logging to monitor user activities related to client data. Specifically, review and enforce the limit_user_customer_visibility setting to ensure it is properly configured and effective. Conduct internal access reviews to limit the number of users with authorized access to FreeScout and restrict permissions to the minimum necessary. Additionally, implement network segmentation and role-based access controls (RBAC) to reduce the risk of unauthorized access. Regularly audit logs for unusual access patterns or modifications to client data. Finally, provide training to administrators and users on the importance of access controls and monitoring to prevent exploitation of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-48475: CWE-863: Incorrect Authorization in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180.
AI-Powered Analysis
Technical Analysis
CVE-2025-48475 is an authorization vulnerability identified in FreeScout, a free self-hosted help desk and shared mailbox system. The issue affects versions prior to 1.8.180. The core problem lies in the system's failure to properly enforce access control checks on which clients an authorized user can view and edit. Specifically, even users who are authorized but do not have explicit access to any mailboxes or conversations can still view and modify client information. This occurs because the setting limit_user_customer_visibility, which is intended to restrict client visibility, is not checked in certain scenarios, allowing unauthorized access to client data. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system does not correctly enforce permissions. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network without user interaction, requires low privileges (an authorized user), and results in limited confidentiality and integrity impact but no availability impact. The issue was patched in FreeScout version 1.8.180. No known exploits are currently reported in the wild. The vulnerability could allow unauthorized users within an organization to access and modify client data they should not have access to, potentially leading to data leakage, unauthorized data manipulation, and undermining trust in the help desk system's integrity.
Potential Impact
For European organizations using FreeScout versions prior to 1.8.180, this vulnerability poses a risk of unauthorized internal data exposure and modification. Since FreeScout is often used to manage customer support tickets and communications, unauthorized access to client data could lead to breaches of personal data protected under GDPR, resulting in legal and regulatory consequences. The ability for an authorized user with limited privileges to escalate their access to client information could also facilitate insider threats or lateral movement within the organization. This could undermine customer trust and damage the organization's reputation. Additionally, unauthorized edits to client records could disrupt support workflows, cause misinformation, and impact service quality. The medium severity rating suggests that while the vulnerability is not critical, it still represents a significant risk that should be addressed promptly to maintain compliance and operational integrity.
Mitigation Recommendations
European organizations should immediately verify their FreeScout deployment version and upgrade to version 1.8.180 or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict access controls and audit logging to monitor user activities related to client data. Specifically, review and enforce the limit_user_customer_visibility setting to ensure it is properly configured and effective. Conduct internal access reviews to limit the number of users with authorized access to FreeScout and restrict permissions to the minimum necessary. Additionally, implement network segmentation and role-based access controls (RBAC) to reduce the risk of unauthorized access. Regularly audit logs for unusual access patterns or modifications to client data. Finally, provide training to administrators and users on the importance of access controls and monitoring to prevent exploitation of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-22T12:11:39.118Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68388f0b182aa0cae285909e
Added to database: 5/29/2025, 4:44:59 PM
Last enriched: 7/7/2025, 11:10:43 PM
Last updated: 8/18/2025, 4:25:48 AM
Views: 9
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.