CVE-2025-48476

HIGH Year: 2025
Weakness Type
CWE-841
View all →

Vulnerability Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180.

Related Vulnerabilities

CVE-2023-4181

CRITICAL
CVSS:9.8(Critical)

A vulnerability, which was classified as critical, has been found in SourceCodester Free Hospital Management System for Small Practices 1.0. Affected by this issue is some unknown functionality of the...

CWE-8412023

CVE-2022-2105

CRITICAL
CVSS:9.1(Critical)

Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access...

CWE-8412022

CVE-2024-0410

HIGH
CVSS:7.7(High)

An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by...

CWE-8412024

CVE-2022-1667

HIGH
CVSS:7.5(High)

Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script

CWE-8412022

CVE-2022-2102

HIGH
CVSS:7.5(High)

Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code...

CWE-8412022

CVE-2024-46307

HIGH
CVSS:7.5(High)

A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.

CWE-8412024