Error type:
CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerability vector:
Base vulnerability score (CVSSv4.0): CVSS:4.0/ AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Severity (CVSSv4.0): 4.6 (Medium)
Description:
The vulnerability was identified in FreeScout , versions v.1.8.173 and 1.8.174.
The discovered vulnerability allows an attacker to store malicious HTML/JavaScript scripts that is later executed in other users’ browsers due to insufficient input validation and sanitization.
Vulnerability status: Confirmed by vendor
Date of vulnerability remediation: 23.05.2025
Recommendations:
Update to version 1.8.180 or higher
Additional information: Security advisory
Researcher: Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Deikov, Artem Danilov, Stanislav Gleym (Positive Technologies)
Identifiers:
CVE-2025-48489
BDU:2025-06965
Vendor:
FreeScout
Vulnerable product:
FreeScout
Vulnerable versions:
v.1.8.173 and 1.8.174