CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48369 – GroupOffice vulnerable to Stored XSS in Tasks Comment Section
https://notcve.org/view.php?id=CVE-2025-48369
22 May 2025 — Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before r... • https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48368 – GroupOffice's DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution
https://notcve.org/view.php?id=CVE-2025-48368
22 May 2025 — Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in ... • https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48366 – GroupOffice's Blind Stored XSS in Phone Number Field Enables Forced Redirect and Unauthorized Actions
https://notcve.org/view.php?id=CVE-2025-48366
22 May 2025 — Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbi... • https://github.com/Intermesh/groupoffice/security/advisories/GHSA-phhq-3h8f-qxpx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25191 – Group-Office has a Stored XSS Vulnerability via user's name field
https://notcve.org/view.php?id=CVE-2025-25191
06 Mar 2025 — Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100. • https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 4CVE-2012-4240 – Group Office Calendar - '/calendar/json.php' SQL Injection
https://notcve.org/view.php?id=CVE-2012-4240
11 Sep 2014 — SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter. Vulnerabilidad de inyección SQL en modules/calendar/json.php en Group-Office community anterior a 4.0.90 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro sort. • https://www.exploit-db.com/exploits/21056 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •