CVE-2025-48480: FreeScout Has Business Logic Errors

7.0 CVSS

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180.

Classification

CVE ID: CVE-2025-48480

CVSS Base Severity: HIGH

CVSS Base Score: 7.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-841: Improper Enforcement of Behavioral Workflow

Affected Products

Vendor: freescout-help-desk

Product: freescout

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.67% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48480
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-pfjf-43mp-3gp2

Timeline

2025-05-30 05:40:13 UTC
CVE

FreeScout Has Business Logic Errors