CVE-2025-48471: FreeScout Vulnerable to Arbitrary File Upload

7.0 CVSS

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. This issue has been patched in version 1.8.179.

Classification

CVE ID: CVE-2025-48471

CVSS Base Severity: HIGH

CVSS Base Score: 7.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Problem Types

CWE-434: Unrestricted Upload of File with Dangerous Type

Affected Products

Vendor: freescout-help-desk

Product: freescout

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.36% (probability of being exploited)

EPSS Percentile: 57.25% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48471
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-h2f3-932h-v38j
https://github.com/freescout-help-desk/freescout/commit/e136660e8dbc220454b8d3f646dd1b144e49e9ed

Timeline

2025-05-29 16:40:15 UTC
CVE

FreeScout Vulnerable to Arbitrary File Upload