CVE-2025-48480

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.180

Description The issue allows an authorized user with the administrator role or the privilege User::PERM EDIT USERS to create a user and specify the path to the user's avatar as ../.htaccess during creation. After creating the user, the user's avatar can be deleted, resulting in the deletion of the .htaccess file in the /storage/app/public folder.

Recommendations For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting the User::PERM EDIT USERS privilege to prevent unauthorized users from creating or deleting users. Additionally, restrict access to the /storage/app/public folder to minimize the risk of exploitation.