CVE-2025-48880

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122	Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

04 Jun 2025, 18:32

Type	Values Removed	Values Added
References	~~() https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122 -~~	() https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122 - Patch
References	~~() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f -~~	() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f - Exploit, Vendor Advisory
CPE		cpe:2.3:a:freescout:freescout::::::::
First Time		Freescout Freescout freescout
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.6

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.181, al eliminar un usuario con una cuenta administrativa, existía la posibilidad de que se produjera una condición de ejecución. Este problema se ha corregido en la versión 1.8.181.

30 May 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 07:15

Updated : 2025-06-04 18:32

NVD link : CVE-2025-48880

Mitre link : CVE-2025-48880

CVE.ORG link : CVE-2025-48880

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2025-48880", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T07:15:24.270", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/3f5bb2841f7de3303bc3cb00930a28440754d122", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vf2-mg4j-4v7f", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.181, al eliminar un usuario con una cuenta administrativa, exist\u00eda la posibilidad de que se produjera una condici\u00f3n de ejecuci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.8.181."}], "lastModified": "2025-06-04T18:32:36.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5E2DBC5-41FA-4D59-92EA-35F75F6B5DA0", "versionEndExcluding": "1.8.181"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}