CVE-2025-68927

Severity CVSS v4.0:

HIGH

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

27/12/2025

Last modified:

27/12/2025

Description

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in tags. However, by intercepting the request and removing the tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS v4.0 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None
Exploit Maturity (E): POC

Base Score 4.0

7.30

Severity 4.0

HIGH

CVE-2025-68927

Description

Impact

References to Advisories, Solutions, and Tools