CVE-2025-48390 | THREATINT

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to check for the presence of such a file (folder) in the file system. A user with the administrator role can create a translation for the language, which will create a folder in the file system. Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. This issue has been patched in version 1.8.178.

PUBLISHED Reserved 2025-05-19 | Published 2025-05-29 | Updated 2025-05-30 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 1.8.178

affected

References

github.com/...escout/security/advisories/GHSA-5324-cw55-gwj5

github.com/...ommit/fb33d672a2d67f5a2b3cf69c80945267f17908b2

cve.org (CVE-2025-48390)

nvd.nist.gov (CVE-2025-48390)

Download JSON