VYPR

Group Office Groupware

by Intermesh

Source repositories

CVEs (17)

  • CVE-2010-3428Sep 16, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules/notes/json.php in Intermesh Group-Office 3.5.9 allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a category action.

  • CVE-2026-25512Feb 4, 2026
    risk 0.01cvss epss 0.19

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates…

  • CVE-2026-30238Mar 6, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into…

  • CVE-2026-30237Mar 6, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without…

  • CVE-2026-27947Feb 27, 2026
    risk 0.00cvss epss 0.01

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled…

  • CVE-2026-27832Feb 27, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint.…

  • CVE-2026-25511Feb 4, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal…

  • CVE-2026-25134Feb 2, 2026
    risk 0.00cvss epss 0.01

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be…

  • CVE-2026-23887Jan 21, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact…

  • CVE-2025-48993Jun 17, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but…

  • CVE-2025-48992Jun 16, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a…

  • CVE-2025-48369May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript…

  • CVE-2025-48368May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the…

  • CVE-2025-48366May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor…

  • CVE-2025-25191Mar 6, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.

  • CVE-2021-28060Apr 14, 2021
    risk 0.00cvss epss 0.01

    A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.

  • CVE-2007-2720May 16, 2007
    risk 0.00cvss epss 0.01

    Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information.