CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-48488: FreeScout Vulnerable to Stored XSS

4.6 CVSS

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180.

Classification

CVE ID: CVE-2025-48488

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: freescout-help-desk

Product: freescout

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.94% (scored less or equal to compared to others)

EPSS Date: 2025-06-16 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48488
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2m76-538h-7hf9

Timeline

2025-05-30 07:40:18 UTC
CVE

FreeScout Vulnerable to Stored XSS