Improper Enforcement of Behavioral Workflow

CVE-2025-48480

High

7/10

Summary

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-841 - Improper Enforcement of Behavioral Workflow

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

References

Advisory Timeline

Published May 30, 2025

Improper Enforcement of Behavioral Workflow

CVE-2025-48480

Summary

CWE-841 - Improper Enforcement of Behavioral Workflow

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS