CVE-2025-68927

Опубликовано: 27 дек. 2025

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in

tags. However, by intercepting the request and removing the

tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

Ссылки

https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
Patch
https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
Exploit
Vendor Advisory
https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:libredesk:libredesk:*:*:*:*:*:*:*:*

Версия до 0.8.6 (исключая)

EPSS

Процентиль: 9%

0.00033

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-wh6m-h6f4-rjf4

github

около 2 месяцев назад

Libredesk has Improper Neutralization of HTML Tags in a Web Page