Vulnerability-Lookup

CVE-2025-48880 (GCVE-0-2025-48880)

Vulnerability from cvelistv5 – Published: 2025-05-30 06:27 – Updated: 2025-05-30 13:24

Title

FreeScout has Race Condition When Deleting Users

Summary

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/freescout-help-desk/freescout/…	x_refsource_CONFIRM
	https://github.com/freescout-help-desk/freescout/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	freescout-help-desk	freescout	Affected: < 1.8.181

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48880",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T13:14:27.974932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T13:24:57.443Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "freescout",
          "vendor": "freescout-help-desk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.181"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-30T06:27:23.708Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f"
        },
        {
          "name": "https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122"
        }
      ],
      "source": {
        "advisory": "GHSA-9vf2-mg4j-4v7f",
        "discovery": "UNKNOWN"
      },
      "title": "FreeScout has Race Condition When Deleting Users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48880",
    "datePublished": "2025-05-30T06:27:23.708Z",
    "dateReserved": "2025-05-27T20:14:34.296Z",
    "dateUpdated": "2025-05-30T13:24:57.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T13:14:27.974932Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T13:24:17.879Z\"}}], \"cna\": {\"title\": \"FreeScout has Race Condition When Deleting Users\", \"source\": {\"advisory\": \"GHSA-9vf2-mg4j-4v7f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"freescout-help-desk\", \"product\": \"freescout\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.181\"}]}], \"references\": [{\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f\", \"name\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122\", \"name\": \"https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-30T06:27:23.708Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48880\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-30T13:24:57.443Z\", \"dateReserved\": \"2025-05-27T20:14:34.296Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-30T06:27:23.708Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2025-20784

Vulnerability from cnvd - Published: 2025-09-09

Title

FreeScout安全绕过漏洞（CNVD-2025-20784）

Description

FreeScout是FreeScout公司的一个使用PHP（Laravel框架）构建的超轻量级免费开源帮助台和共享收件箱。 FreeScout存在安全绕过漏洞，该漏洞是由于竞争条件缺陷引起的。攻击者可利用该漏洞对共享资源执行并发访问。

Severity

中

Patch Name

FreeScout安全绕过漏洞（CNVD-2025-20784）的补丁

Patch Description

FreeScout是FreeScout公司的一个使用PHP（Laravel框架）构建的超轻量级免费开源帮助台和共享收件箱。 FreeScout存在安全绕过漏洞，该漏洞是由于竞争条件缺陷引起的。攻击者可利用该漏洞对共享资源执行并发访问。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://freescout.net/

Reference

https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122

Impacted products

Name
Freescout Freescout <1.8.181

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-48880",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-48880"
    }
  },
  "description": "FreeScout\u662fFreeScout\u516c\u53f8\u7684\u4e00\u4e2a\u4f7f\u7528PHP\uff08Laravel\u6846\u67b6\uff09\u6784\u5efa\u7684\u8d85\u8f7b\u91cf\u7ea7\u514d\u8d39\u5f00\u6e90\u5e2e\u52a9\u53f0\u548c\u5171\u4eab\u6536\u4ef6\u7bb1\u3002\n\nFreeScout\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u7ade\u4e89\u6761\u4ef6\u7f3a\u9677\u5f15\u8d77\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u5171\u4eab\u8d44\u6e90\u6267\u884c\u5e76\u53d1\u8bbf\u95ee\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://freescout.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-20784",
  "openTime": "2025-09-09",
  "patchDescription": "FreeScout\u662fFreeScout\u516c\u53f8\u7684\u4e00\u4e2a\u4f7f\u7528PHP\uff08Laravel\u6846\u67b6\uff09\u6784\u5efa\u7684\u8d85\u8f7b\u91cf\u7ea7\u514d\u8d39\u5f00\u6e90\u5e2e\u52a9\u53f0\u548c\u5171\u4eab\u6536\u4ef6\u7bb1\u3002\r\n\r\nFreeScout\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u7ade\u4e89\u6761\u4ef6\u7f3a\u9677\u5f15\u8d77\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u5171\u4eab\u8d44\u6e90\u6267\u884c\u5e76\u53d1\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "FreeScout\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2025-20784\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Freescout Freescout \u003c1.8.181"
  },
  "referenceLink": "https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122",
  "serverity": "\u4e2d",
  "submitTime": "2025-06-06",
  "title": "FreeScout\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2025-20784\uff09"
}

FKIE_CVE-2025-48880

Vulnerability from fkie_nvd - Published: 2025-05-30 07:15 - Updated: 2025-06-04 18:32

Severity ?

6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122	Patch
	security-advisories@github.com	https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	freescout	freescout	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5E2DBC5-41FA-4D59-92EA-35F75F6B5DA0",
              "versionEndExcluding": "1.8.181",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181."
    },
    {
      "lang": "es",
      "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.181, al eliminar un usuario con una cuenta administrativa, exist\u00eda la posibilidad de que se produjera una condici\u00f3n de ejecuci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.8.181."
    }
  ],
  "id": "CVE-2025-48880",
  "lastModified": "2025-06-04T18:32:36.090",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-30T07:15:24.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-48880 (GCVE-0-2025-48880)

CNVD-2025-20784

FKIE_CVE-2025-48880

Tags

Sightings

Nomenclature