CVE-2025-68927
Unknown Unknown - Not Provided
Stored HTML Injection in LibreDesk Contact Notes Enables Phishing

Publication date: 2025-12-27

Last updated on: 2025-12-27

Assigner: GitHub, Inc.

Description
Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libredesk libredesk 0.8.6-beta
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in LibreDesk prior to version 0.8.6-beta allows an attacker to perform stored HTML injection via the contact notes feature. Normally, user input is wrapped in <p> tags, but by intercepting and modifying the request to remove these tags, an attacker can inject arbitrary HTML elements such as forms and images. These malicious elements are stored and rendered without proper sanitization, enabling attacks like phishing, CSRF-style forced actions, and UI redress attacks.

Impact Analysis

The vulnerability can lead to serious security issues including phishing attacks where users may be tricked into submitting sensitive information, CSRF-style forced actions that can manipulate user actions without their consent, and UI redress attacks that can alter the appearance of the interface to deceive users. These impacts can compromise user trust, data integrity, and overall system security.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade LibreDesk to version 0.8.6-beta or later, where the stored HTML injection issue in the contact notes feature has been patched.

Detection Guidance

This vulnerability can be detected by intercepting and inspecting POST requests to the endpoint /api/v1/contacts/{id}/notes to check if the note content is being wrapped automatically in <p> tags or if arbitrary HTML elements can be injected by removing these tags. A practical approach is to use a proxy tool like Burp Suite or curl combined with manual modification of the POST data to remove <p> tags and inject HTML elements such as <form> or <img>. For example, you can use curl to send a crafted POST request without <p> tags and observe if the injected HTML is stored and rendered. Example curl command: curl -X POST -H "Content-Type: application/json" -d '{"note": "<form><input name=\"test\"></form>"}' https://your-libredesk-instance/api/v1/contacts/{id}/notes. If the injected HTML is stored and rendered without sanitization, the system is vulnerable. Additionally, monitoring network traffic for POST requests to this endpoint and checking if the note content includes unexpected HTML elements can help detect exploitation attempts. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart