CVE-2025-48488
📋 TL;DR
CVE-2025-48488 is a Cross-Site Scripting vulnerability in FreeScout help desk software where deleting the .htaccess file allows attackers to upload malicious HTML files containing JavaScript. This affects all FreeScout instances prior to version 1.8.180. Attackers can execute arbitrary JavaScript in victims' browsers when they access the uploaded file.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy additional malware payloads.
Likely Case
Session hijacking, credential theft, or defacement of the help desk interface through malicious scripts.
If Mitigated
Limited impact with proper file upload restrictions and Content Security Policy headers in place.
🎯 Exploit Status
Exploitation requires ability to delete .htaccess file and upload HTML files, which typically requires some level of access or misconfiguration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.180
Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2m76-538h-7hf9
Restart Required: No
Instructions:
1. Backup your FreeScout installation and database. 2. Download version 1.8.180 from the official repository. 3. Replace existing files with new version. 4. Verify .htaccess file exists and contains proper restrictions.
🔧 Temporary Workarounds
Restrict HTML file uploads
allConfigure web server to block HTML file uploads or execution in upload directories
# Add to .htaccess in upload directory:
<FilesMatch "\.(html|htm)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Ensure .htaccess file exists
linuxVerify and restore .htaccess file with proper security restrictions
# Check if .htaccess exists:
ls -la /path/to/freescout/.htaccess
# Restore from backup or download from official repository
🧯 If You Can't Patch
- Implement strict file upload validation to reject HTML files
- Deploy Web Application Firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if FreeScout version is below 1.8.180 and verify .htaccess file exists in the root directory with proper file restrictions.Check Version:
Check app/version.php or look for version information in the FreeScout admin interfaceVerify Fix Applied:
Confirm version is 1.8.180 or higher and test that HTML file uploads are properly blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with .html extension
- Missing .htaccess file warnings
- Access to uploaded HTML files
Network Indicators:
- HTTP requests to uploaded HTML files with suspicious parameters
- Outbound connections to external domains from help desk pages
SIEM Query:
source="webserver" AND (uri="*.html" OR uri="*.htm") AND status=200