Freescout
Monthly
FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.
Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.
Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.
FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.
Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.
Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.
{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.
FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.
Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.
Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.
{%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.
CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).
Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.
{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.
Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.
Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers to predict reset tokens and take over accounts. PoC and patch available.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity.
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.
Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.
Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.
FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.
Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.
Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.
{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.
FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.
Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.
Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.
{%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.
CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).
Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.
{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.
Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.
Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers to predict reset tokens and take over accounts. PoC and patch available.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity.
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.