CVE-2025-48390

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.178

Description The issue is related to insufficient validation of user input in the php path parameter, allowing code injection. This occurs because backticks characters and tabulation are not removed from user input. An administrator can create a translation for a language, which creates a folder in the file system. This folder's path can then be specified as php path in tools.php, leading to the execution of code in backticks. The file exists function is also used to check for the presence of such a file or folder in the file system.

Recommendations For versions prior to 1.8.178, update to version 1.8.178 to resolve the issue. As a temporary workaround, consider restricting access to the php path parameter in tools.php to prevent code injection. Additionally, avoid using the php path parameter with untrusted input until the issue is resolved.