Vulnerability Details CVE-2024-34698
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.0%
CVSS Severity
CVSS v3 Score 4.6
References
- https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5
- https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r
- https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5
- https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r
Products affected by CVE-2024-34698
-
cpe:2.3:a:freescout:freescout:-
-
cpe:2.3:a:freescout:freescout:1.0.0
-
cpe:2.3:a:freescout:freescout:1.0.2
-
cpe:2.3:a:freescout:freescout:1.0.3
-
cpe:2.3:a:freescout:freescout:1.0.4
-
cpe:2.3:a:freescout:freescout:1.0.5
-
cpe:2.3:a:freescout:freescout:1.0.6
-
cpe:2.3:a:freescout:freescout:1.0.7
-
cpe:2.3:a:freescout:freescout:1.0.8
-
cpe:2.3:a:freescout:freescout:1.0.9
-
cpe:2.3:a:freescout:freescout:1.1.0
-
cpe:2.3:a:freescout:freescout:1.1.1
-
cpe:2.3:a:freescout:freescout:1.1.10
-
cpe:2.3:a:freescout:freescout:1.1.2
-
cpe:2.3:a:freescout:freescout:1.1.3
-
cpe:2.3:a:freescout:freescout:1.1.4
-
cpe:2.3:a:freescout:freescout:1.1.5
-
cpe:2.3:a:freescout:freescout:1.1.6
-
cpe:2.3:a:freescout:freescout:1.1.7
-
cpe:2.3:a:freescout:freescout:1.1.8
-
cpe:2.3:a:freescout:freescout:1.1.9
-
cpe:2.3:a:freescout:freescout:1.2.0
-
cpe:2.3:a:freescout:freescout:1.2.1
-
cpe:2.3:a:freescout:freescout:1.2.2
-
cpe:2.3:a:freescout:freescout:1.2.3
-
cpe:2.3:a:freescout:freescout:1.2.4
-
cpe:2.3:a:freescout:freescout:1.2.5
-
cpe:2.3:a:freescout:freescout:1.2.6
-
cpe:2.3:a:freescout:freescout:1.3.0
-
cpe:2.3:a:freescout:freescout:1.3.1
-
cpe:2.3:a:freescout:freescout:1.3.10
-
cpe:2.3:a:freescout:freescout:1.3.11
-
cpe:2.3:a:freescout:freescout:1.3.12
-
cpe:2.3:a:freescout:freescout:1.3.13
-
cpe:2.3:a:freescout:freescout:1.3.14
-
cpe:2.3:a:freescout:freescout:1.3.15
-
cpe:2.3:a:freescout:freescout:1.3.16
-
cpe:2.3:a:freescout:freescout:1.3.17
-
cpe:2.3:a:freescout:freescout:1.3.18
-
cpe:2.3:a:freescout:freescout:1.3.19
-
cpe:2.3:a:freescout:freescout:1.3.2
-
cpe:2.3:a:freescout:freescout:1.3.3
-
cpe:2.3:a:freescout:freescout:1.3.4
-
cpe:2.3:a:freescout:freescout:1.3.5
-
cpe:2.3:a:freescout:freescout:1.3.6
-
cpe:2.3:a:freescout:freescout:1.3.7
-
cpe:2.3:a:freescout:freescout:1.3.8
-
cpe:2.3:a:freescout:freescout:1.3.9
-
cpe:2.3:a:freescout:freescout:1.4.0
-
cpe:2.3:a:freescout:freescout:1.4.1
-
cpe:2.3:a:freescout:freescout:1.4.10
-
cpe:2.3:a:freescout:freescout:1.4.11
-
cpe:2.3:a:freescout:freescout:1.4.12
-
cpe:2.3:a:freescout:freescout:1.4.2
-
cpe:2.3:a:freescout:freescout:1.4.3
-
cpe:2.3:a:freescout:freescout:1.4.4
-
cpe:2.3:a:freescout:freescout:1.4.6
-
cpe:2.3:a:freescout:freescout:1.4.7
-
cpe:2.3:a:freescout:freescout:1.4.8
-
cpe:2.3:a:freescout:freescout:1.4.9
-
cpe:2.3:a:freescout:freescout:1.5.0
-
cpe:2.3:a:freescout:freescout:1.5.1
-
cpe:2.3:a:freescout:freescout:1.5.10
-
cpe:2.3:a:freescout:freescout:1.5.11
-
cpe:2.3:a:freescout:freescout:1.5.12
-
cpe:2.3:a:freescout:freescout:1.5.13
-
cpe:2.3:a:freescout:freescout:1.5.14
-
cpe:2.3:a:freescout:freescout:1.5.15
-
cpe:2.3:a:freescout:freescout:1.5.2
-
cpe:2.3:a:freescout:freescout:1.5.3
-
cpe:2.3:a:freescout:freescout:1.5.4
-
cpe:2.3:a:freescout:freescout:1.5.5
-
cpe:2.3:a:freescout:freescout:1.5.6
-
cpe:2.3:a:freescout:freescout:1.5.7
-
cpe:2.3:a:freescout:freescout:1.5.8
-
cpe:2.3:a:freescout:freescout:1.5.9
-
cpe:2.3:a:freescout:freescout:1.6.0
-
cpe:2.3:a:freescout:freescout:1.6.1
-
cpe:2.3:a:freescout:freescout:1.6.10
-
cpe:2.3:a:freescout:freescout:1.6.11
-
cpe:2.3:a:freescout:freescout:1.6.12
-
cpe:2.3:a:freescout:freescout:1.6.13
-
cpe:2.3:a:freescout:freescout:1.6.14
-
cpe:2.3:a:freescout:freescout:1.6.15
-
cpe:2.3:a:freescout:freescout:1.6.16
-
cpe:2.3:a:freescout:freescout:1.6.17
-
cpe:2.3:a:freescout:freescout:1.6.18
-
cpe:2.3:a:freescout:freescout:1.6.19
-
cpe:2.3:a:freescout:freescout:1.6.2
-
cpe:2.3:a:freescout:freescout:1.6.20
-
cpe:2.3:a:freescout:freescout:1.6.3
-
cpe:2.3:a:freescout:freescout:1.6.4
-
cpe:2.3:a:freescout:freescout:1.6.5
-
cpe:2.3:a:freescout:freescout:1.6.6
-
cpe:2.3:a:freescout:freescout:1.6.7
-
cpe:2.3:a:freescout:freescout:1.6.8
-
cpe:2.3:a:freescout:freescout:1.6.9
-
cpe:2.3:a:freescout:freescout:1.7.0
-
cpe:2.3:a:freescout:freescout:1.7.1
-
cpe:2.3:a:freescout:freescout:1.7.10
-
cpe:2.3:a:freescout:freescout:1.7.11
-
cpe:2.3:a:freescout:freescout:1.7.12
-
cpe:2.3:a:freescout:freescout:1.7.13
-
cpe:2.3:a:freescout:freescout:1.7.14
-
cpe:2.3:a:freescout:freescout:1.7.15
-
cpe:2.3:a:freescout:freescout:1.7.16
-
cpe:2.3:a:freescout:freescout:1.7.17
-
cpe:2.3:a:freescout:freescout:1.7.18
-
cpe:2.3:a:freescout:freescout:1.7.19
-
cpe:2.3:a:freescout:freescout:1.7.2
-
cpe:2.3:a:freescout:freescout:1.7.20
-
cpe:2.3:a:freescout:freescout:1.7.21
-
cpe:2.3:a:freescout:freescout:1.7.22
-
cpe:2.3:a:freescout:freescout:1.7.23
-
cpe:2.3:a:freescout:freescout:1.7.24
-
cpe:2.3:a:freescout:freescout:1.7.25
-
cpe:2.3:a:freescout:freescout:1.7.26
-
cpe:2.3:a:freescout:freescout:1.7.27
-
cpe:2.3:a:freescout:freescout:1.7.28
-
cpe:2.3:a:freescout:freescout:1.7.29
-
cpe:2.3:a:freescout:freescout:1.7.3
-
cpe:2.3:a:freescout:freescout:1.7.30
-
cpe:2.3:a:freescout:freescout:1.7.4
-
cpe:2.3:a:freescout:freescout:1.7.5
-
cpe:2.3:a:freescout:freescout:1.7.6
-
cpe:2.3:a:freescout:freescout:1.7.7
-
cpe:2.3:a:freescout:freescout:1.7.9
-
cpe:2.3:a:freescout:freescout:1.8.0
-
cpe:2.3:a:freescout:freescout:1.8.1
-
cpe:2.3:a:freescout:freescout:1.8.10
-
cpe:2.3:a:freescout:freescout:1.8.100
-
cpe:2.3:a:freescout:freescout:1.8.101
-
cpe:2.3:a:freescout:freescout:1.8.102
-
cpe:2.3:a:freescout:freescout:1.8.103
-
cpe:2.3:a:freescout:freescout:1.8.104
-
cpe:2.3:a:freescout:freescout:1.8.105
-
cpe:2.3:a:freescout:freescout:1.8.106
-
cpe:2.3:a:freescout:freescout:1.8.107
-
cpe:2.3:a:freescout:freescout:1.8.108
-
cpe:2.3:a:freescout:freescout:1.8.109
-
cpe:2.3:a:freescout:freescout:1.8.11
-
cpe:2.3:a:freescout:freescout:1.8.110
-
cpe:2.3:a:freescout:freescout:1.8.111
-
cpe:2.3:a:freescout:freescout:1.8.112
-
cpe:2.3:a:freescout:freescout:1.8.113
-
cpe:2.3:a:freescout:freescout:1.8.114
-
cpe:2.3:a:freescout:freescout:1.8.115
-
cpe:2.3:a:freescout:freescout:1.8.116
-
cpe:2.3:a:freescout:freescout:1.8.117
-
cpe:2.3:a:freescout:freescout:1.8.118
-
cpe:2.3:a:freescout:freescout:1.8.119
-
cpe:2.3:a:freescout:freescout:1.8.12
-
cpe:2.3:a:freescout:freescout:1.8.120
-
cpe:2.3:a:freescout:freescout:1.8.121
-
cpe:2.3:a:freescout:freescout:1.8.122
-
cpe:2.3:a:freescout:freescout:1.8.123
-
cpe:2.3:a:freescout:freescout:1.8.124
-
cpe:2.3:a:freescout:freescout:1.8.125
-
cpe:2.3:a:freescout:freescout:1.8.126
-
cpe:2.3:a:freescout:freescout:1.8.127
-
cpe:2.3:a:freescout:freescout:1.8.128
-
cpe:2.3:a:freescout:freescout:1.8.129
-
cpe:2.3:a:freescout:freescout:1.8.13
-
cpe:2.3:a:freescout:freescout:1.8.130
-
cpe:2.3:a:freescout:freescout:1.8.131
-
cpe:2.3:a:freescout:freescout:1.8.132
-
cpe:2.3:a:freescout:freescout:1.8.133
-
cpe:2.3:a:freescout:freescout:1.8.134
-
cpe:2.3:a:freescout:freescout:1.8.135
-
cpe:2.3:a:freescout:freescout:1.8.136
-
cpe:2.3:a:freescout:freescout:1.8.137
-
cpe:2.3:a:freescout:freescout:1.8.138
-
cpe:2.3:a:freescout:freescout:1.8.14
-
cpe:2.3:a:freescout:freescout:1.8.15
-
cpe:2.3:a:freescout:freescout:1.8.16
-
cpe:2.3:a:freescout:freescout:1.8.17
-
cpe:2.3:a:freescout:freescout:1.8.18
-
cpe:2.3:a:freescout:freescout:1.8.19
-
cpe:2.3:a:freescout:freescout:1.8.2
-
cpe:2.3:a:freescout:freescout:1.8.20
-
cpe:2.3:a:freescout:freescout:1.8.21
-
cpe:2.3:a:freescout:freescout:1.8.22
-
cpe:2.3:a:freescout:freescout:1.8.23
-
cpe:2.3:a:freescout:freescout:1.8.24
-
cpe:2.3:a:freescout:freescout:1.8.25
-
cpe:2.3:a:freescout:freescout:1.8.26
-
cpe:2.3:a:freescout:freescout:1.8.27
-
cpe:2.3:a:freescout:freescout:1.8.28
-
cpe:2.3:a:freescout:freescout:1.8.29
-
cpe:2.3:a:freescout:freescout:1.8.3
-
cpe:2.3:a:freescout:freescout:1.8.30
-
cpe:2.3:a:freescout:freescout:1.8.31
-
cpe:2.3:a:freescout:freescout:1.8.32
-
cpe:2.3:a:freescout:freescout:1.8.33
-
cpe:2.3:a:freescout:freescout:1.8.34
-
cpe:2.3:a:freescout:freescout:1.8.35
-
cpe:2.3:a:freescout:freescout:1.8.36
-
cpe:2.3:a:freescout:freescout:1.8.37
-
cpe:2.3:a:freescout:freescout:1.8.38
-
cpe:2.3:a:freescout:freescout:1.8.39
-
cpe:2.3:a:freescout:freescout:1.8.4
-
cpe:2.3:a:freescout:freescout:1.8.40
-
cpe:2.3:a:freescout:freescout:1.8.41
-
cpe:2.3:a:freescout:freescout:1.8.42
-
cpe:2.3:a:freescout:freescout:1.8.43
-
cpe:2.3:a:freescout:freescout:1.8.44
-
cpe:2.3:a:freescout:freescout:1.8.45
-
cpe:2.3:a:freescout:freescout:1.8.46
-
cpe:2.3:a:freescout:freescout:1.8.47
-
cpe:2.3:a:freescout:freescout:1.8.48
-
cpe:2.3:a:freescout:freescout:1.8.49
-
cpe:2.3:a:freescout:freescout:1.8.5
-
cpe:2.3:a:freescout:freescout:1.8.50
-
cpe:2.3:a:freescout:freescout:1.8.51
-
cpe:2.3:a:freescout:freescout:1.8.52
-
cpe:2.3:a:freescout:freescout:1.8.53
-
cpe:2.3:a:freescout:freescout:1.8.54
-
cpe:2.3:a:freescout:freescout:1.8.55
-
cpe:2.3:a:freescout:freescout:1.8.56
-
cpe:2.3:a:freescout:freescout:1.8.57
-
cpe:2.3:a:freescout:freescout:1.8.58
-
cpe:2.3:a:freescout:freescout:1.8.59
-
cpe:2.3:a:freescout:freescout:1.8.6
-
cpe:2.3:a:freescout:freescout:1.8.60
-
cpe:2.3:a:freescout:freescout:1.8.61
-
cpe:2.3:a:freescout:freescout:1.8.62
-
cpe:2.3:a:freescout:freescout:1.8.63
-
cpe:2.3:a:freescout:freescout:1.8.65
-
cpe:2.3:a:freescout:freescout:1.8.66
-
cpe:2.3:a:freescout:freescout:1.8.67
-
cpe:2.3:a:freescout:freescout:1.8.68
-
cpe:2.3:a:freescout:freescout:1.8.69
-
cpe:2.3:a:freescout:freescout:1.8.7
-
cpe:2.3:a:freescout:freescout:1.8.70
-
cpe:2.3:a:freescout:freescout:1.8.71
-
cpe:2.3:a:freescout:freescout:1.8.72
-
cpe:2.3:a:freescout:freescout:1.8.73
-
cpe:2.3:a:freescout:freescout:1.8.74
-
cpe:2.3:a:freescout:freescout:1.8.75
-
cpe:2.3:a:freescout:freescout:1.8.76
-
cpe:2.3:a:freescout:freescout:1.8.77
-
cpe:2.3:a:freescout:freescout:1.8.78
-
cpe:2.3:a:freescout:freescout:1.8.79
-
cpe:2.3:a:freescout:freescout:1.8.8
-
cpe:2.3:a:freescout:freescout:1.8.80
-
cpe:2.3:a:freescout:freescout:1.8.81
-
cpe:2.3:a:freescout:freescout:1.8.82
-
cpe:2.3:a:freescout:freescout:1.8.83
-
cpe:2.3:a:freescout:freescout:1.8.84
-
cpe:2.3:a:freescout:freescout:1.8.85
-
cpe:2.3:a:freescout:freescout:1.8.86
-
cpe:2.3:a:freescout:freescout:1.8.87
-
cpe:2.3:a:freescout:freescout:1.8.88
-
cpe:2.3:a:freescout:freescout:1.8.89
-
cpe:2.3:a:freescout:freescout:1.8.9
-
cpe:2.3:a:freescout:freescout:1.8.90
-
cpe:2.3:a:freescout:freescout:1.8.91
-
cpe:2.3:a:freescout:freescout:1.8.92
-
cpe:2.3:a:freescout:freescout:1.8.93
-
cpe:2.3:a:freescout:freescout:1.8.94
-
cpe:2.3:a:freescout:freescout:1.8.95
-
cpe:2.3:a:freescout:freescout:1.8.96
-
cpe:2.3:a:freescout:freescout:1.8.97
-
cpe:2.3:a:freescout:freescout:1.8.98
-
cpe:2.3:a:freescout:freescout:1.8.99