CVE-2025-48875: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.
AI Analysis
Technical Summary
CVE-2025-48875 is a medium severity Cross-Site Scripting (XSS) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox software. The vulnerability exists in versions prior to 1.8.181 due to improper input validation of the 'last_name' and 'first_name' fields during profile data updates. Specifically, the application fails to correctly neutralize malicious JavaScript code injected into these fields. When such malicious input is deleted, the injected JavaScript executes within the context of a flash-message, leading to a reflected XSS attack vector. This flaw is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The vulnerability has a CVSS 4.6 score, indicating a medium severity level, with an attack vector of network (remote), requiring low privileges but user interaction, and high attack complexity. No known exploits are currently reported in the wild, and the issue was patched in FreeScout version 1.8.181. The vulnerability does not impact confidentiality, integrity, or availability directly but can be leveraged to execute arbitrary scripts in the victim’s browser, potentially leading to session hijacking, phishing, or other client-side attacks within the context of the FreeScout application.
Potential Impact
For European organizations using FreeScout as their help desk or shared mailbox solution, this vulnerability poses a risk of client-side attacks that can compromise user sessions or lead to unauthorized actions performed on behalf of legitimate users. Since FreeScout is often used to manage customer support and internal communications, an attacker exploiting this XSS flaw could inject malicious scripts that steal authentication tokens or manipulate displayed data, undermining trust and potentially exposing sensitive customer information. The impact is particularly significant in sectors with strict data privacy regulations such as GDPR, where unauthorized data exposure or manipulation can lead to regulatory penalties. Additionally, the requirement for user interaction (e.g., a user viewing or deleting profile data) means social engineering could be used to trigger the exploit. While the vulnerability does not directly compromise backend systems, the client-side execution context can be a stepping stone for broader attacks, especially in environments where FreeScout is integrated with other internal tools or workflows.
Mitigation Recommendations
Organizations should immediately upgrade FreeScout installations to version 1.8.181 or later, where the vulnerability has been patched. Until the upgrade is applied, administrators should restrict profile data modification privileges to trusted users only and monitor logs for suspicious profile update or deletion activities. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Additionally, web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting the affected input fields. Regular security training for users to recognize phishing or social engineering attempts that might trigger malicious profile updates is also recommended. Finally, organizations should audit their FreeScout deployment for any signs of compromise and ensure that session management and authentication mechanisms are robust to limit the damage from potential XSS exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-48875: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.
AI-Powered Analysis
Technical Analysis
CVE-2025-48875 is a medium severity Cross-Site Scripting (XSS) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox software. The vulnerability exists in versions prior to 1.8.181 due to improper input validation of the 'last_name' and 'first_name' fields during profile data updates. Specifically, the application fails to correctly neutralize malicious JavaScript code injected into these fields. When such malicious input is deleted, the injected JavaScript executes within the context of a flash-message, leading to a reflected XSS attack vector. This flaw is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The vulnerability has a CVSS 4.6 score, indicating a medium severity level, with an attack vector of network (remote), requiring low privileges but user interaction, and high attack complexity. No known exploits are currently reported in the wild, and the issue was patched in FreeScout version 1.8.181. The vulnerability does not impact confidentiality, integrity, or availability directly but can be leveraged to execute arbitrary scripts in the victim’s browser, potentially leading to session hijacking, phishing, or other client-side attacks within the context of the FreeScout application.
Potential Impact
For European organizations using FreeScout as their help desk or shared mailbox solution, this vulnerability poses a risk of client-side attacks that can compromise user sessions or lead to unauthorized actions performed on behalf of legitimate users. Since FreeScout is often used to manage customer support and internal communications, an attacker exploiting this XSS flaw could inject malicious scripts that steal authentication tokens or manipulate displayed data, undermining trust and potentially exposing sensitive customer information. The impact is particularly significant in sectors with strict data privacy regulations such as GDPR, where unauthorized data exposure or manipulation can lead to regulatory penalties. Additionally, the requirement for user interaction (e.g., a user viewing or deleting profile data) means social engineering could be used to trigger the exploit. While the vulnerability does not directly compromise backend systems, the client-side execution context can be a stepping stone for broader attacks, especially in environments where FreeScout is integrated with other internal tools or workflows.
Mitigation Recommendations
Organizations should immediately upgrade FreeScout installations to version 1.8.181 or later, where the vulnerability has been patched. Until the upgrade is applied, administrators should restrict profile data modification privileges to trusted users only and monitor logs for suspicious profile update or deletion activities. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Additionally, web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting the affected input fields. Regular security training for users to recognize phishing or social engineering attempts that might trigger malicious profile updates is also recommended. Finally, organizations should audit their FreeScout deployment for any signs of compromise and ensure that session management and authentication mechanisms are robust to limit the damage from potential XSS exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-27T20:14:34.295Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 683953b3182aa0cae2a2dd0b
Added to database: 5/30/2025, 6:44:03 AM
Last enriched: 7/7/2025, 9:11:51 PM
Last updated: 8/11/2025, 9:56:33 PM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.