CVE-2026-34442
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
31/03/2026
Última modificación:
01/04/2026
Descripción
*** Pendiente de traducción *** FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.
Impacto
Puntuación base 3.x
5.40
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:* | 1.8.211 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/freescout-help-desk/freescout/commit/889d75c8e3c15e6a7ddb6a4d4f65cc0379c29213
- https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-822g-7rw5-53xj
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-822g-7rw5-53xj