CVE-2025-48479

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-627h-pc3c-w68h	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

04 Jun 2025, 15:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:freescout:freescout::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 2.7
First Time		Freescout freescout Freescout
CWE		NVD-CWE-noinfo
References	~~() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-627h-pc3c-w68h -~~	() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-627h-pc3c-w68h - Exploit, Vendor Advisory

30 May 2025, 16:31

Type	Values Removed	Values Added
Summary		(es) FreeScout es un servicio de asistencia gratuito y autoalojado, con buzón compartido. Antes de la versión 1.8.180, el paquete laravel-translation-manager no validaba correctamente la entrada del usuario, lo que permitía eliminar cualquier directorio si se contaban con suficientes permisos de acceso. Este problema se ha corregido en la versión 1.8.180.

30 May 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 05:15

Updated : 2025-06-04 15:36

NVD link : CVE-2025-48479

Mitre link : CVE-2025-48479

CVE.ORG link : CVE-2025-48479

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-841

Improper Enforcement of Behavioral Workflow

NVD-CWE-noinfo

{"id": "CVE-2025-48479", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T05:15:22.630", "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-627h-pc3c-w68h", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-841"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y autoalojado, con buz\u00f3n compartido. Antes de la versi\u00f3n 1.8.180, el paquete laravel-translation-manager no validaba correctamente la entrada del usuario, lo que permit\u00eda eliminar cualquier directorio si se contaban con suficientes permisos de acceso. Este problema se ha corregido en la versi\u00f3n 1.8.180."}], "lastModified": "2025-06-04T15:36:04.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68F8F94A-40CE-4D87-9119-D849531E7D48", "versionEndExcluding": "1.8.180"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}