Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.
References
Configurations
Configuration 1 (hide)
|
History
04 Sep 2025, 15:57
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd - Patch | |
| References | () https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11 - Patch | |
| References | () https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv - Third Party Advisory | |
| First Time |
Intermesh
Intermesh group-office |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| CPE | cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:* |
17 Jun 2025, 20:50
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-17 01:15
Updated : 2025-09-04 15:57
NVD link : CVE-2025-48993
Mitre link : CVE-2025-48993
CVE.ORG link : CVE-2025-48993
JSON object : View
Products Affected
intermesh
- group-office
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')