7.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68927

CVE-2025-68927: Improper Neutralization of HTML Tags in a Web Page in libredesk

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68927

CVE-2025-68927:

7.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/abhinavxd/libredesk	go	< 0.8.6-beta	0.8.6-beta

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored HTML injection where the Go backend fails to sanitize user-provided notes submitted to the /api/v1/contacts/{id}/notes endpoint. The backend stores the raw HTML, and the vulnerability is triggered when the frontend renders this content.

The provided patch focuses on mitigating the vulnerability on the client side by changing how the HTML content is rendered. The analysis of the patch identified several Vue.js components that were using v-dompurify-html to render content. This library was insufficient to prevent the injection of arbitrary HTML tags like <form>, as described in the PoC.

The patch replaces the usage of v-dompurify-html with a more restrictive component called <Letter>, which only allows a specific set of URL schemas, effectively preventing the malicious HTML from being rendered. The identified vulnerable functions are the Vue.js components where this insecure rendering occurred. While the root cause is the lack of input sanitization in the Go backend, the provided patch only contains changes for the frontend code, so the analysis is limited to the client-side components where the exploit would manifest in a user's browser.

Vulnerable functions

ContactNotes.vue

frontend/src/features/contact/ContactNotes.vue

This Vue component is responsible for rendering contact notes. It used the `v-dompurify-html` directive to render the `note.note` property. The vulnerability description confirms that an attacker can inject arbitrary HTML (e.g., <form> tags) by manipulating the request to the backend, which stores it without sanitization. This component would then render the malicious HTML, leading to a stored HTML injection vulnerability. The patch replaces the vulnerable rendering method with a more restrictive `<Letter>` component.

CommandBox.vue

frontend/src/features/command/CommandBox.vue

This component, likely used for macros or replies, also used `v-dompurify-html` to render HTML content (`replyContent`). The commit message explicitly mentions fixing injection in 'macros etc.'. This component was another vector for rendering unsanitized HTML stored on the backend, making it vulnerable to the same stored HTML injection flaw. The patch mitigates this by switching to the `<Letter>` component.

AgentMessageBubble.vue

frontend/src/features/conversation/message/AgentMessageBubble.vue

This component was used for displaying agent messages and was vulnerable because it rendered `messageContent` using `v-dompurify-html`. The component was removed entirely in the patch and replaced by a new, safer `MessageBubble.vue` component that uses the `<Letter>` component for rendering, indicating that this was a vulnerable surface for HTML injection.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68927: Improper Neutralization of HTML Tags in a Web Page in libredesk

CVE-2025-68927:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.3

7.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-68927: Improper Neutralization of HTML Tags in a Web Page in libredesk

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI