Advisories – FreeScout

Deserialization of untrusted data leads to Remote code execution (RCE) [1]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Deserialization of untrusted data leads to Remote code execution [2]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 7.2 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Deserialization of untrusted data leads to Remote code execution [3]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 7.0 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Deserialization of untrusted data leads to Remote code execution [4]

Deserialization of untrusted data leads to Remote code execution [5]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 7.2 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Deserialization of untrusted data leads to Remote code execution [6]

Deserialization of untrusted data leads to Remote code execution [7]

Deserialization of untrusted data leads to Remote code execution [8]

Deserialization of untrusted data leads to Remote code execution (RCE) [9]

Product: FreeScout (v.1.8.182)
Identifier: CVE-2025-54366
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Deserialization of untrusted data leads to Remote code execution (RCE) [10]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-502: Deserialization of Untrusted Data
CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application’s logic.
Patched version: 1.8.186 (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.186)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Server-Side Request Forgery (SSRF) leads to Local file read

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-20: Improper Input Validation
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs insufficient data validation of user input, allowing an attacker to read files stored on the server and perform network requests to the local network, leading to a Server-Side Request Forgery (SSRF) vulnerability.
Patched version: OAuth & Social Login Module v1.0.22 (https://freescout.net/module/oauth-login/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Insufficient authorization [1]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-863: Incorrect Authorization
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
Description: The application does not check user access rights correctly. An attacker can gain access to information or functionality that does not correspond to the granted privileges.
Patched version: Extended Attachments Module v1.0.27 (https://freescout.net/module/extended-attachments/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Insufficient authorization [2]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-863: Incorrect Authorization
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
Description: The application does not check user access rights correctly. An attacker can gain access to information or functionality that does not correspond to the granted privileges.
Patched version: Kanban Module v1.0.29 (https://freescout.net/module/kanban/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Insufficient authorization [3]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-863: Incorrect Authorization
CVSS vector v.4.0: 5.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)
Description: The application does not check user access rights correctly. An attacker can gain access to information or functionality that does not correspond to the granted privileges.
Patched version: Custom Fields Module v1.0.42 (https://freescout.net/module/custom-fields/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Insufficient authorization [4]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-863: Incorrect Authorization
CVSS vector v.4.0: 5.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)
Description: The application does not check user access rights correctly. An attacker can gain access to information or functionality that does not correspond to the granted privileges.
Patched version: Kanban Module v1.0.30 (https://freescout.net/module/kanban/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Insufficient authorization [5]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-863: Incorrect Authorization
CVSS vector v.4.0: 0 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N)
Description: The application does not check user access rights correctly. An attacker can gain access to information or functionality that does not correspond to the granted privileges.
Patched version: Knowledge Base Module v1.0.91 (https://freescout.net/module/knowledge-base/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Stored XSS [1]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.4.0: 6.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N)
Description: The application does not perform the processing of data received from the user that is necessary for the safe use of data when creating a web page. An attacker can inject arbitrary HTML tags, including JavaScript scripts, into the page processed by the user’s browser and thus conduct sociotechnical attacks.
Patched version: End-User Portal Module v1.0.95 (https://freescout.net/module/end-user-portal/), Teams Module v1.0.23 (https://freescout.net/module/teams/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

Stored XSS [2]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.4.0: 6.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N)
Description: The application does not perform the processing of data received from the user that is necessary for the safe use of data when creating a web page. An attacker can inject arbitrary HTML tags, including JavaScript scripts, into the page processed by the user’s browser and thus conduct sociotechnical attacks.
Patched version: Knowledge Base Module v1.0.92 (https://freescout.net/module/knowledge-base/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

SSRF [1]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
CVSS vector v.4.0: 6.1 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N)
Description: The application performs insufficient validation of the destination address before sending an HTTP request. An attacker can send requests to both external nodes and servers with restricted access (e.g., located in a local network), leading to disclosure of sensitive data, denial of service, and more.
Patched version: Easy Digital Downloads Module v1.0.8 (https://freescout.net/module/easy-digital-downloads/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

SSRF [2]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
CVSS vector v.4.0: 6.1 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N)
Description: The application performs insufficient validation of the destination address before sending an HTTP request. An attacker can send requests to both external nodes and servers with restricted access (e.g., located in a local network), leading to disclosure of sensitive data, denial of service, and more.
Patched version: OAuth & Social Login Module v1.0.22 (https://freescout.net/module/oauth-login/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)

SSRF [3]

Product: FreeScout (v.1.8.182)
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
CVSS vector v.4.0: 6.1 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N)
Description: The application performs insufficient validation of the destination address before sending an HTTP request. An attacker can send requests to both external nodes and servers with restricted access (e.g., located in a local network), leading to disclosure of sensitive data, denial of service, and more.
Patched version: Faster Search Module v1.0.22 (https://freescout.net/module/faster-search/)
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)