CVE-2025-48484 is a medium-severity Cross-Site Scripting (XSS) vulnerability identified in FreeScout, a free, self-hosted help desk and shared mailbox application. The vulnerability affects versions prior to 1.8.178 and arises from improper input validation and sanitization of user-supplied data within the conversation POST data body. Specifically, the application fails to neutralize malicious scripts embedded in user inputs during web page generation, classified under CWE-79. This flaw allows an attacker with low privileges and requiring user interaction to inject malicious scripts that execute in the context of other users' browsers when viewing the affected conversation data. The vulnerability has a CVSS 4.0 base score of 4.6, indicating a medium impact primarily due to its network attack vector, low attack complexity, and the need for partial authentication and user interaction. The vulnerability does not impact confidentiality, integrity, or availability directly but can be leveraged for session hijacking, phishing, or delivering further payloads. No known exploits are reported in the wild, and the issue was patched in FreeScout version 1.8.178.

For European organizations using FreeScout as their help desk or shared mailbox solution, this vulnerability poses a risk of client-side attacks that could compromise user sessions or lead to credential theft if exploited. Since FreeScout is self-hosted, organizations that have not updated to the patched version remain exposed. The impact is particularly relevant for organizations handling sensitive customer or internal support data, as attackers could leverage XSS to impersonate users or escalate attacks within the internal network. While the vulnerability does not directly compromise server-side data or availability, the potential for social engineering and session hijacking could lead to unauthorized access to support tickets or internal communications. This risk is heightened in sectors with strict data protection regulations such as GDPR, where any compromise of personal data or unauthorized access can lead to regulatory penalties and reputational damage.

European organizations should immediately verify their FreeScout version and upgrade to version 1.8.178 or later to apply the official patch. Beyond patching, administrators should implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Input validation and output encoding should be enforced at the application level, especially for user-generated content in conversations. Organizations should also conduct regular security audits and penetration testing focusing on web application vulnerabilities. User awareness training is recommended to reduce the risk of social engineering attacks that may leverage XSS payloads. Additionally, monitoring web server logs and application behavior for unusual activity related to conversation POST requests can help detect exploitation attempts early.