Arbitrary File Deletion in FreeScout Help Desk by Authorized Users
CVE-2025-48480

7HIGH

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 30 May 2025

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2025-48480?

FreeScout, a self-hosted help desk solution, has a vulnerability that allows authorized users with administrator privileges to manipulate user settings. Specifically, they can specify a path that leads to the avatar file during user creation, enabling them to delete the .htaccess file located in /storage/app/public. This can lead to significant security risks as it compromises the integrity of the system. The issue has been addressed in version 1.8.180, and it is crucial for users to update to this version to mitigate potential threats.

Affected Version(s)

freescout < 1.8.180

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
May 22, 2025