CVE-2025-48875

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7	Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

04 Jun 2025, 19:54

Type	Values Removed	Values Added
References	~~() https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7 -~~	() https://github.com/freescout-help-desk/freescout/commit/508dda16853a39fcb6c2b46ea7b7f442d5f7eda7 - Patch
References	~~() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq -~~	() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mjjx-rv96-w9hq - Exploit, Vendor Advisory
CPE		cpe:2.3:a:freescout:freescout::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Freescout Freescout freescout

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.181, la validación incorrecta de last_name y first_name durante la actualización de datos de perfil permitía la inyección de código JavaScript arbitrario, que se ejecutaba en un mensaje de texto al eliminar los datos, lo que podía provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema se ha corregido en la versión 1.8.181.

30 May 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 07:15

Updated : 2025-06-04 19:54

NVD link : CVE-2025-48875

Mitre link : CVE-2025-48875

CVE.ORG link : CVE-2025-48875

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10