Security Vulnerabilities
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-05-30
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180.
CVSS Score
2.7
EPSS Score
0.0
Published
2025-05-30
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180.
CVSS Score
2.7
EPSS Score
0.0
Published
2025-05-30
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link from the email to gain initial access to the account. This issue has been patched in version 1.8.180.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-30
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill() method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result, a user with the right to edit other users of the system can change their password, and then log in to the system using the set password. This issue has been patched in version 1.8.180.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-05-30
hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5Z__filter_scaleoffset function.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-05-30
jhead v3.08 was discovered to contain a heap-use-after-free via the ProcessFile function at jhead.c.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-30
hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5VM_memcpyvv function.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-05-30
Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and access sensitive information via a man-in-the-middle attack.
CVSS Score
5.9
EPSS Score
0.0
Published
2025-05-30
Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-05-30