Playeriunknown

**Name of the Vulnerable Software and Affected Versions** Libredesk versions prior to 1.0.2-0.20260215211005-727213631ce6 **Description** Libredesk, a self-hosted customer support desk application, is susceptible to a Server-Side Request Forgery (SSRF) issue in its Webhooks module. An authenticated "Application Admin" can exploit this to force the server to make HTTP requests to arbitrary internal destinations, potentially compromising the underlying cloud infrastructure or internal corporate network. The application fails to validate destination URLs for webhooks. Attackers can perform internal port scanning by observing connection success or failure, and potentially leak sensitive information through error-based responses, as the application logs the full response body on webhook delivery failures. The root cause lies in missing input validation in `cmd/webhooks.go`, an unrestricted HTTP client in `internal/webhook/webhook.go`, and verbose error logging. Specifically, the application does not check if the URL resolves to a private IP address. The HTTP client follows redirects and connects to any IP address. **Recommendations** Versions prior to 1.0.2-0.20260215211005-727213631ce6 should be updated. Implement input validation to block URLs resolving to private IP ranges and Link-Local addresses. Utilize a custom `http.Transport` that verifies the destination IP address after DNS resolution to prevent DNS rebinding attacks.

**Name of the Vulnerable Software and Affected Versions** listmonk versions prior to 6.0.0 **Description** listmonk is a self-hosted newsletter and mailing list manager. A user with campaign management permissions, but lower privileges, can inject malicious JavaScript into campaigns or templates. When a user with higher privileges (Super Admin) views or previews this content, the JavaScript executes in their browser, potentially allowing the attacker to perform privileged actions, such as creating backdoor admin accounts. The issue can be exploited through the public archive feature, requiring only a link visit from the victim, without needing to preview the content. The vulnerable component is the campaign or template functionality. **Recommendations** Update to version 6.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Libredesk versions prior to 0.8.6-beta **Description** Libredesk is a self-hosted customer support desk application. A stored HTML injection issue exists in the contact notes feature. When adding notes through the `POST /api/v1/contacts/{id}/notes` endpoint, user input is wrapped in <p> tags by the backend. Removing the <p> tag allows an attacker to inject arbitrary HTML elements, such as forms and images, which are then stored and displayed without proper sanitization. This can potentially lead to phishing, Cross-Site Request Forgery (CSRF)-style forced actions, and UI redress attacks. The vulnerable parameter is the contact note content submitted via the `POST /api/v1/contacts/{id}/notes` API endpoint. **Recommendations** Update to version 0.8.6-beta or later.