Key Information Vulnerability Overview Vulnerability Type: Remote Code Execution (RCE) due to deserialization of untrusted data CVE ID: CWE-502: Deserialization of Untrusted Data CAPEC ID: 586: Object Injection CVSS v4.0 Base Score: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) Affected and Fixed Versions Affected Version: 1.8.185 Fixed Version: 1.8.186 Description Product: FreeScout Version: 1.8.182 Description: The application deserializes data that can be tampered with. An attacker can create objects of arbitrary classes and fully control their properties, thereby manipulating the logic of the web application. Vulnerable Scenario: Vulnerable Parameters: - - Exploitation Condition: Knowledge of Researchers Danil Satyaev, Roman Cheremykhk, Artem Danilov (Positive Technologies) Vulnerable Code Exploitation Scenario HTTP Request Example: Serialized Payload Example: