Description

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

INFO

Published Date :

2025-12-27T00:04:49.621Z

Last Modified :

2025-12-29T16:51:24.522Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68927 vulnerability.

Vendors Products
Abhinavxd
  • Libredesk
Libredesk
  • Libredesk
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68927.

URL Resource
https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb cve-icon cve-icon
https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact