CVE-2025-25191

Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda	Patch
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:group-office:group_office:6.8.99:*:*:*:*:*:*:*

History

10 Oct 2025, 20:11

Type	Values Removed	Values Added
CPE		cpe:2.3:a:group-office:group_office:6.8.99:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda -~~	() https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda - Patch
References	~~() https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf -~~	() https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf - Exploit, Vendor Advisory
First Time		Group-office Group-office group Office
Summary		(es) Group-Office es una herramienta de CRM y groupware empresarial. Esta vulnerabilidad de XSS almacenado existe cuando la entrada del usuario en el campo Nombre no se depura correctamente antes de almacenarse. Esta vulnerabilidad se solucionó en la versión 6.8.100.

06 Mar 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-06 19:15

Updated : 2025-10-10 20:11

NVD link : CVE-2025-25191

Mitre link : CVE-2025-25191

CVE.ORG link : CVE-2025-25191

JSON object : View

Products Affected

group-office

group_office

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-25191", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-06T19:15:27.113", "references": [{"url": "https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100."}, {"lang": "es", "value": "Group-Office es una herramienta de CRM y groupware empresarial. Esta vulnerabilidad de XSS almacenado existe cuando la entrada del usuario en el campo Nombre no se depura correctamente antes de almacenarse. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 6.8.100."}], "lastModified": "2025-10-10T20:11:15.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:group-office:group_office:6.8.99:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "030E2F72-AE59-4938-82B5-D22C755E594E"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}