Improper Neutralization of HTML Tags in a Web Page in libredesk
Description
Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in tags. However, by intercepting the request and removing the tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/abhinavxd/libredeskGo | < 0.8.6-beta | 0.8.6-beta |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-wh6m-h6f4-rjf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68927ghsaADVISORY
- github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900ebghsax_refsource_MISCWEB
- github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.