CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd
https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv

Configurations

No configuration.

History

17 Jun 2025, 20:50

Type	Values Removed	Values Added
Summary		(es) Group-Office es una herramienta de gestión de relaciones con clientes empresariales y software colaborativo. En versiones anteriores a la 6.8.123 y la 25.0.27, se podía ejecutar una carga maliciosa de JavaScript a través de los campos de formato de apariencia. Cualquier usuario puede actualizar sus campos de entrada de formato de apariencia, pero la aplicación web no depura la información. Esto podría provocar un ataque de cross-site scripting (XSS) reflejado. Este problema se ha corregido en las versiones 6.8.123 y la 25.0.27.

17 Jun 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-17 01:15

Updated : 2025-06-17 20:50

NVD link : CVE-2025-48993

Mitre link : CVE-2025-48993

CVE.ORG link : CVE-2025-48993

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-48993", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-17T01:15:22.360", "references": [{"url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd", "source": "security-advisories@github.com"}, {"url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11", "source": "security-advisories@github.com"}, {"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."}, {"lang": "es", "value": "Group-Office es una herramienta de gesti\u00f3n de relaciones con clientes empresariales y software colaborativo. En versiones anteriores a la 6.8.123 y la 25.0.27, se pod\u00eda ejecutar una carga maliciosa de JavaScript a trav\u00e9s de los campos de formato de apariencia. Cualquier usuario puede actualizar sus campos de entrada de formato de apariencia, pero la aplicaci\u00f3n web no depura la informaci\u00f3n. Esto podr\u00eda provocar un ataque de cross-site scripting (XSS) reflejado. Este problema se ha corregido en las versiones 6.8.123 y la 25.0.27."}], "lastModified": "2025-06-17T20:50:23.507", "sourceIdentifier": "security-advisories@github.com"}