Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68927

CVE-2025-68927: Libredesk Stored XSS Vulnerability

CVE-2025-68927 is a stored XSS vulnerability in Libredesk's contact notes feature that enables HTML injection attacks. Attackers can inject forms and images, leading to phishing and CSRF risks. Learn about affected versions and fixes.

Published:

CVE-2025-68927 Overview

Libredesk, a self-hosted customer support desk application, contains a stored HTML injection vulnerability in the contact notes feature. Versions prior to 0.8.6-beta fail to sanitize user-supplied HTML when notes are submitted via POST /api/v1/contacts/{id}/notes. The backend wraps input in <p> tags, but an attacker who intercepts the request and strips the wrapping tag can inject arbitrary HTML elements such as forms and images. The injected markup is then stored and rendered without proper sanitization, enabling phishing, CSRF-style forced actions, and UI redress attacks. The issue is tracked as [CWE-79] and was patched in version 0.8.6-beta.

Critical Impact

Authenticated users can persist malicious HTML in contact notes, which is later rendered to support agents and can be leveraged for credential theft, forced actions, and clickjacking.

Affected Products

  • Libredesk versions prior to 0.8.6-beta
  • Component: libredesk:libredesk
  • Fixed release: 0.8.6-beta

Discovery Timeline

  • 2025-12-27 - CVE-2025-68927 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-68927

Vulnerability Analysis

The vulnerability resides in the contact notes handling logic of Libredesk. When an authenticated user submits a note through POST /api/v1/contacts/{id}/notes, the backend automatically wraps the provided text in <p> tags before storing it. This wrapping was the only structural transformation applied, and the backend relied on the frontend Vue components to sanitize rendered output.

On the frontend, both ContactNotes.vue and CommandBox.vue rendered stored note content using the v-dompurify-html directive with the native-html class. However, because an attacker can intercept the outbound request and remove the wrapping <p> tag, the resulting payload bypasses assumptions made by downstream rendering logic. The stored HTML is later served to any user viewing the contact, including support agents.

Root Cause

The root cause is missing server-side output sanitization combined with fragile client-side rendering. The application trusted intercepted client input and stored raw HTML rather than escaping or filtering dangerous tags such as <form>, <img>, <iframe>, and event-handler attributes before persistence.

Attack Vector

An attacker with permissions to add contact notes intercepts the API call and injects arbitrary HTML. When another authenticated user opens the contact, the injected content renders in their browser session. This enables phishing forms mimicking the Libredesk login, forced navigation via CSRF, and layered UI redress that tricks agents into clicking hidden controls.

text
// Patch: frontend/src/features/contact/ContactNotes.vue
         <!-- Note content -->
         <CardContent class="pt-4 pb-5">
-          <p class="whitespace-pre-wrap text-sm native-html" v-dompurify-html="note.note"></p>
+          <Letter
+            :html="note.note"
+            :allowedSchemas="['cid', 'https', 'http', 'mailto']"
+            class="whitespace-pre-wrap text-sm native-html"
+          />
         </CardContent>
// Source: https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb

The patch replaces v-dompurify-html rendering with the vue-letterLetter component and restricts allowed URL schemas to cid, https, http, and mailto. The same replacement is applied in CommandBox.vue for the reply preview.

Detection Methods for CVE-2025-68927

Indicators of Compromise

  • Contact note records containing raw HTML tags such as <form>, <iframe>, <img onerror=...>, or <script> in the note field.
  • Requests to POST /api/v1/contacts/{id}/notes whose bodies contain HTML markup outside a single wrapping <p> tag.
  • Outbound requests from agent browsers to unexpected domains after viewing a contact profile.

Detection Strategies

  • Query the Libredesk database for notes containing tag characters (<, >) or attribute patterns like onerror=, onclick=, or action=.
  • Review reverse proxy logs for POST requests to the notes endpoint with unusually large or HTML-heavy bodies.
  • Inspect browser Content Security Policy violation reports generated when agents render contact notes.

Monitoring Recommendations

  • Alert on new contact notes containing HTML tags other than a wrapping paragraph element.
  • Monitor agent workstations for anomalous form submissions or redirects following contact page views.
  • Track version strings reported by Libredesk instances to confirm all deployments are running 0.8.6-beta or later.

How to Mitigate CVE-2025-68927

Immediate Actions Required

  • Upgrade Libredesk to version 0.8.6-beta or later, which replaces v-dompurify-html rendering with the vue-letterLetter component and enforces an allowed URL schema list.
  • Audit existing contact notes for stored HTML payloads and remove or neutralize any malicious content before agents re-open affected records.
  • Rotate session tokens and credentials for any agent who viewed suspect contact notes prior to remediation.

Patch Information

The fix is available in the upstream commit 270347849943ac6a43e9fd6ebdc99c71841900eb and is documented in the Libredesk GitHub Security Advisory GHSA-wh6m-h6f4-rjf4. Upgrading to 0.8.6-beta applies the sanitized rendering path in both ContactNotes.vue and CommandBox.vue.

Workarounds

  • Restrict which user roles can create or edit contact notes until the patch is applied.
  • Deploy a strict Content Security Policy that blocks inline event handlers and disallows form submissions to third-party origins.
  • Place Libredesk behind a web application firewall rule that rejects POST /api/v1/contacts/{id}/notes bodies containing tags such as <form>, <iframe>, or <script>.
bash
# Example WAF/reverse proxy rule (nginx) to block HTML-heavy note submissions
location ~ ^/api/v1/contacts/[0-9]+/notes$ {
    if ($request_method = POST) {
        set $block 0;
        if ($request_body ~* "<(script|iframe|form|object|embed)\b") { set $block 1; }
        if ($block = 1) { return 403; }
    }
    proxy_pass http://libredesk_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.