cvelistv5 - CVE-2025-48875

CVE-2025-48875 (GCVE-0-2025-48875)

Vulnerability from cvelistv5 – Published: 2025-05-30 06:26 – Updated: 2025-05-30 13:32

Summary

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.

Severity ?

4.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/freescout-help-desk/freescout/…	x_refsource_CONFIRM
	https://github.com/freescout-help-desk/freescout/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	freescout-help-desk	freescout	Affected: < 1.8.181

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48875",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T13:32:37.455217Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T13:32:43.097Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "freescout",
          "vendor": "freescout-help-desk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.181"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system\u0027s incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-30T06:26:24.366Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq"
        },
        {
          "name": "https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7"
        }
      ],
      "source": {
        "advisory": "GHSA-mjjx-rv96-w9hq",
        "discovery": "UNKNOWN"
      },
      "title": "FreeScout Vulnerable to Stored XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48875",
    "datePublished": "2025-05-30T06:26:24.366Z",
    "dateReserved": "2025-05-27T20:14:34.295Z",
    "dateUpdated": "2025-05-30T13:32:43.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48875\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-30T07:15:24.127\",\"lastModified\":\"2025-06-04T19:54:12.937\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system\u0027s incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.\"},{\"lang\":\"es\",\"value\":\"FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.181, la validaci\u00f3n incorrecta de last_name y first_name durante la actualizaci\u00f3n de datos de perfil permit\u00eda la inyecci\u00f3n de c\u00f3digo JavaScript arbitrario, que se ejecutaba en un mensaje de texto al eliminar los datos, lo que pod\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema se ha corregido en la versi\u00f3n 1.8.181.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.181\",\"matchCriteriaId\":\"F5E2DBC5-41FA-4D59-92EA-35F75F6B5DA0\"}]}]}],\"references\":[{\"url\":\"https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48875\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T13:32:37.455217Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T13:28:32.637Z\"}}], \"cna\": {\"title\": \"FreeScout Vulnerable to Stored XSS\", \"source\": {\"advisory\": \"GHSA-mjjx-rv96-w9hq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"freescout-help-desk\", \"product\": \"freescout\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.181\"}]}], \"references\": [{\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq\", \"name\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7\", \"name\": \"https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system\u0027s incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-30T06:26:24.366Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48875\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-30T13:32:43.097Z\", \"dateReserved\": \"2025-05-27T20:14:34.295Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-30T06:26:24.366Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-48875

Vulnerability from fkie_nvd - Published: 2025-05-30 07:15 - Updated: 2025-06-04 19:54

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7	Patch
	security-advisories@github.com	https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	freescout	freescout	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5E2DBC5-41FA-4D59-92EA-35F75F6B5DA0",
              "versionEndExcluding": "1.8.181",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system\u0027s incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181."
    },
    {
      "lang": "es",
      "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.181, la validaci\u00f3n incorrecta de last_name y first_name durante la actualizaci\u00f3n de datos de perfil permit\u00eda la inyecci\u00f3n de c\u00f3digo JavaScript arbitrario, que se ejecutaba en un mensaje de texto al eliminar los datos, lo que pod\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema se ha corregido en la versi\u00f3n 1.8.181."
    }
  ],
  "id": "CVE-2025-48875",
  "lastModified": "2025-06-04T19:54:12.937",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-30T07:15:24.127",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

CNVD-2025-20795

Vulnerability from cnvd - Published: 2025-09-09

Title

FreeScout跨站脚本漏洞（CNVD-2025-20795）

Description

FreeScout是FreeScout公司的一个使用PHP（Laravel框架）构建的超轻量级免费开源帮助台和共享收件箱。 FreeScout存在跨站脚本漏洞，该漏洞是由于last_name和first_name配置文件数据对用户提供的输入验证不当造成的。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

FreeScout跨站脚本漏洞（CNVD-2025-20795）的补丁

Patch Description

FreeScout是FreeScout公司的一个使用PHP（Laravel框架）构建的超轻量级免费开源帮助台和共享收件箱。 FreeScout存在跨站脚本漏洞，该漏洞是由于last_name和first_name配置文件数据对用户提供的输入验证不当造成的。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://freescout.net/

Reference

https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7

Impacted products

Name
Freescout Freescout <1.8.181

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-48875",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-48875"
    }
  },
  "description": "FreeScout\u662fFreeScout\u516c\u53f8\u7684\u4e00\u4e2a\u4f7f\u7528PHP\uff08Laravel\u6846\u67b6\uff09\u6784\u5efa\u7684\u8d85\u8f7b\u91cf\u7ea7\u514d\u8d39\u5f00\u6e90\u5e2e\u52a9\u53f0\u548c\u5171\u4eab\u6536\u4ef6\u7bb1\u3002\n\nFreeScout\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8elast_name\u548cfirst_name\u914d\u7f6e\u6587\u4ef6\u6570\u636e\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u9020\u6210\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://freescout.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-20795",
  "openTime": "2025-09-09",
  "patchDescription": "FreeScout\u662fFreeScout\u516c\u53f8\u7684\u4e00\u4e2a\u4f7f\u7528PHP\uff08Laravel\u6846\u67b6\uff09\u6784\u5efa\u7684\u8d85\u8f7b\u91cf\u7ea7\u514d\u8d39\u5f00\u6e90\u5e2e\u52a9\u53f0\u548c\u5171\u4eab\u6536\u4ef6\u7bb1\u3002\r\n\r\nFreeScout\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8elast_name\u548cfirst_name\u914d\u7f6e\u6587\u4ef6\u6570\u636e\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u9020\u6210\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "FreeScout\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-20795\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Freescout Freescout \u003c1.8.181"
  },
  "referenceLink": "https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7",
  "serverity": "\u4e2d",
  "submitTime": "2025-06-06",
  "title": "FreeScout\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-20795\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-48875 (GCVE-0-2025-48875)

FKIE_CVE-2025-48875

CNVD-2025-20795

Tags

Sightings

Nomenclature