CVE-2025-68927
📋 TL;DR
LibreDesk versions before 0.8.6-beta are vulnerable to stored HTML injection in the contact notes feature. Attackers can inject malicious HTML elements like forms and images by intercepting and modifying API requests, leading to phishing, CSRF attacks, and UI manipulation. All LibreDesk instances running vulnerable versions are affected.
💻 Affected Systems
- LibreDesk
📦 What is this software?
Libredesk by Libredesk
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious forms to steal credentials, perform CSRF attacks to modify user accounts or settings, or create convincing phishing pages within the legitimate application interface.
Likely Case
Attackers with access to the contact notes feature could inject phishing forms or malicious images to trick users into revealing credentials or performing unintended actions.
If Mitigated
With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires access to the contact notes feature and ability to intercept/modify API requests. The technique is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.6-beta
Vendor Advisory: https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
Restart Required: Yes
Instructions:
1. Backup your LibreDesk instance and database. 2. Update to version 0.8.6-beta or later. 3. Restart the LibreDesk service. 4. Verify the fix by testing the contact notes functionality.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allConfigure WAF to block requests to /api/v1/contacts/*/notes that contain HTML tags or script elements
WAF-specific configuration required
Disable Contact Notes Feature
allTemporarily disable the contact notes functionality if not essential
Modify application configuration or frontend to remove contact notes interface
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent execution of injected scripts
- Monitor and audit all POST requests to /api/v1/contacts/*/notes for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject HTML via the contact notes API endpoint and checking if it renders as HTML rather than plain text.Check Version:
Check LibreDesk version in web interface or via package manager: dpkg -l | grep libredesk or rpm -qa | grep libredeskVerify Fix Applied:
After patching, attempt the same injection test - injected HTML should be properly sanitized and rendered as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/v1/contacts/*/notes with stripped <p> tags
- Requests containing HTML form elements or script tags in contact notes
Network Indicators:
- HTTP traffic to /api/v1/contacts/*/notes with unusual payloads
- Modified API requests with Content-Type manipulation
SIEM Query:
source="libredesk" AND (url_path="/api/v1/contacts/*/notes" AND (request_body CONTAINS "<form" OR request_body CONTAINS "<img" OR request_body CONTAINS "<script"))