Unrated severityNVD Advisory· Published Jun 17, 2025· Updated Jun 17, 2025

Group-Office vulnerable to reflected XSS via Look and Feel Formatting input

CVE-2025-48993

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

Affected products

Intermesh/Groupofficev5
Range: < 6.8.123

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcddmitrex_refsource_MISC
github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11mitrex_refsource_MISC
github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000