Skip to main content

CVE-2025-48875: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in freescout-help-desk freescout

Medium
VulnerabilityCVE-2025-48875cvecve-2025-48875cwe-79
Published: Fri May 30 2025 (05/30/2025, 06:26:24 UTC)
Source: CVE Database V5
Vendor/Project: freescout-help-desk
Product: freescout

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.

AI-Powered Analysis

AILast updated: 07/07/2025, 21:11:51 UTC

Technical Analysis

CVE-2025-48875 is a medium severity Cross-Site Scripting (XSS) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox software. The vulnerability exists in versions prior to 1.8.181 due to improper input validation of the 'last_name' and 'first_name' fields during profile data updates. Specifically, the application fails to correctly neutralize malicious JavaScript code injected into these fields. When such malicious input is deleted, the injected JavaScript executes within the context of a flash-message, leading to a reflected XSS attack vector. This flaw is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The vulnerability has a CVSS 4.6 score, indicating a medium severity level, with an attack vector of network (remote), requiring low privileges but user interaction, and high attack complexity. No known exploits are currently reported in the wild, and the issue was patched in FreeScout version 1.8.181. The vulnerability does not impact confidentiality, integrity, or availability directly but can be leveraged to execute arbitrary scripts in the victim’s browser, potentially leading to session hijacking, phishing, or other client-side attacks within the context of the FreeScout application.

Potential Impact

For European organizations using FreeScout as their help desk or shared mailbox solution, this vulnerability poses a risk of client-side attacks that can compromise user sessions or lead to unauthorized actions performed on behalf of legitimate users. Since FreeScout is often used to manage customer support and internal communications, an attacker exploiting this XSS flaw could inject malicious scripts that steal authentication tokens or manipulate displayed data, undermining trust and potentially exposing sensitive customer information. The impact is particularly significant in sectors with strict data privacy regulations such as GDPR, where unauthorized data exposure or manipulation can lead to regulatory penalties. Additionally, the requirement for user interaction (e.g., a user viewing or deleting profile data) means social engineering could be used to trigger the exploit. While the vulnerability does not directly compromise backend systems, the client-side execution context can be a stepping stone for broader attacks, especially in environments where FreeScout is integrated with other internal tools or workflows.

Mitigation Recommendations

Organizations should immediately upgrade FreeScout installations to version 1.8.181 or later, where the vulnerability has been patched. Until the upgrade is applied, administrators should restrict profile data modification privileges to trusted users only and monitor logs for suspicious profile update or deletion activities. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Additionally, web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting the affected input fields. Regular security training for users to recognize phishing or social engineering attempts that might trigger malicious profile updates is also recommended. Finally, organizations should audit their FreeScout deployment for any signs of compromise and ensure that session management and authentication mechanisms are robust to limit the damage from potential XSS exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-27T20:14:34.295Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683953b3182aa0cae2a2dd0b

Added to database: 5/30/2025, 6:44:03 AM

Last enriched: 7/7/2025, 9:11:51 PM

Last updated: 8/11/2025, 9:56:33 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats