Vulnerability Description
Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libredesk | Libredesk | < 0.8.6 |
Related Weaknesses (CWE)
References
- https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c7184Patch
- https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4ExploitVendor Advisory
- https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4ExploitVendor Advisory
FAQ
What is CVE-2025-68927?
CVE-2025-68927 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contact...
How severe is CVE-2025-68927?
CVE-2025-68927 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68927?
Check the references section above for vendor advisories and patch information. Affected products include: Libredesk Libredesk.