Unrated severityNVD Advisory· Published Jun 16, 2025· Updated Jun 17, 2025

Group-Office vulnerable to blind XSS

CVE-2025-48992

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization > Address books. This issue has been patched in versions 6.8.123 and 25.0.27.

Affected products

Intermesh/Groupofficev5
Range: < 6.8.123

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Intermesh/groupoffice/commit/2e3695db9cdef1da7a9d754ff4d98f49f6924e2dmitrex_refsource_MISC
github.com/Intermesh/groupoffice/security/advisories/GHSA-j35g-q5mc-jwgpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000