CVE-2025-68927 — LibreDesk Stored HTML Injection / Stored XSS vulnerability

CyberDefender 3 mins0

CVE-2025-68927 is a stored HTML injection / stored cross-site scripting (XSS) vulnerability in LibreDesk, a self-hosted customer support desk application. It occurs when malicious HTML can be injected into stored contact notes and executed in other users’ browsers.

Affected Versions

  • All versions prior to 0.8.6-beta are vulnerable.

Vulnerability Summary

  • The contact notes API endpoint (POST /api/v1/contacts/{id}/notes) automatically wraps user input in <p> tags.
  • By intercepting and modifying the request, an attacker can remove those tags and inject arbitrary HTML.
  • The inserted content is stored and later rendered without proper sanitization, enabling persistent XSS.

CVSS Score & Severity

  • CVSS v4.0 Base Score: 7.3
  • Severity Rating: High
    The vulnerability has network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity.

Impact

Exploitation could allow:

  • Persistent execution of attacker-controlled HTML/JavaScript in the context of users who view the infected notes.
  • UI redress, phishing, or social engineering attacks.
  • CSRF-style forced actions or session abuse when user browsers execute injected scripts.

Root Cause

  • Improper sanitization of user input when rendering stored content.
  • Classified as CWE-79: Improper Neutralization of Input During Web Page Generation (a common XSS weakness).

Fix & Mitigation

  • Upgrade LibreDesk to version 0.8.6-beta or later.
  • Apply proper server-side HTML sanitization and output encoding for user-supplied content.
  • Consider restricting or escaping HTML in contact notes to prevent executable markup.

Patching Details :

https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4

https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb

CyberDefender