CVE-2024-34698

FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the /public/js/main.js source file. The Prototype Pollution arises because the getQueryParam Function recursively merges an object containing...

CVE-2025-48480

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERMEDITUSERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's...

CVE-2025-48875

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

CVE-2025-48487

CVE-2025-48487 pertains to FreeScout, a self-hosted help desk. The issue is a Cross‑Site Scripting (XSS) vulnerability that occurs when translating a phrase shown in a flash-message after an action, allowing injection of a payload. Root cause: insufficient sanitization of translation payloads in ...

CVE-2025-48484 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application is vulnerable to Cross-Site Scripting XSS attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. This issue has been patched in versio...

CVE-2025-48479

CVE-2025-48479 affects FreeScout (self-hosted help desk) via the laravel-translation-manager package. The issue arises from improper validation of user input, enabling deletion of arbitrary directories when the attacker has sufficient access rights. The vulnerability is addressed in FreeScout ver...

CVE-2025-48479 FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180...

CVE-2025-48471

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code executi...

CVE-2025-48474

CVE-2025-48474 concerns FreeScout (prior to 1.8.180). The issue is improper access-rights checks for conversations, allowing users enabled with show_only_assigned_conversations to assign themselves to any accessible conversation and bypass viewing restrictions. The vulnerability is patched in ver...

CVE-2025-48471

CVE-2025-48471 pertains to FreeScout (PHP/Laravel). The vulnerability arises from insufficient validation of uploaded files, allowing files with phtml and phar extensions to be uploaded, which can enable remote code execution when hosted on Apache. The issue affects FreeScout versions prior to 1....