VYPR

Vendor CVEs

Intermesh

All CVEs

31 total · sorted by risk
  • CVE-2026-34838CriApr 2, 2026
    risk 0.57cvss 9.9epss 0.01

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized…

  • CVE-2026-33755HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to…

  • CVE-2026-45551MedMay 29, 2026
    risk 0.26cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink…

  • CVE-2012-4240Sep 11, 2014
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.

  • CVE-2010-3428Sep 16, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules/notes/json.php in Intermesh Group-Office 3.5.9 allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a category action.

  • CVE-2026-25512Feb 4, 2026
    risk 0.01cvss epss 0.19

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates…

  • CVE-2026-30238Mar 6, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into…

  • CVE-2026-30237Mar 6, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without…

  • CVE-2026-27947Feb 27, 2026
    risk 0.00cvss epss 0.01

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled…

  • CVE-2026-27832Feb 27, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint.…

  • CVE-2026-25511Feb 4, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal…

  • CVE-2026-25134Feb 2, 2026
    risk 0.00cvss epss 0.01

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be…

  • CVE-2026-23887Jan 21, 2026
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact…

  • CVE-2025-63406Nov 13, 2025
    risk 0.00cvss epss 0.01

    An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php

  • CVE-2025-53505Aug 21, 2025
    risk 0.00cvss epss 0.00

    Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed.

  • CVE-2025-53504Aug 21, 2025
    risk 0.00cvss epss 0.00

    Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.

  • CVE-2025-48993Jun 17, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but…

  • CVE-2025-48992Jun 16, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a…

  • CVE-2025-48369May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript…

  • CVE-2025-48368May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the…

  • CVE-2025-48366May 22, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor…

  • CVE-2025-25191Mar 6, 2025
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.

  • CVE-2024-47904Oct 23, 2024
    risk 0.00cvss epss 0.00

    A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary…

  • CVE-2024-47903Oct 23, 2024
    risk 0.00cvss epss 0.00

    A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices allows…

  • CVE-2024-47902Oct 23, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not…

  • CVE-2024-47901Oct 23, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not…

  • CVE-2024-22418Jan 18, 2024
    risk 0.00cvss epss 0.00

    Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance,…

  • CVE-2023-46730Nov 7, 2023
    risk 0.00cvss epss 0.01

    Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make…

  • CVE-2023-25292Apr 27, 2023
    risk 0.00cvss epss 0.01

    Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.

  • CVE-2021-28060Apr 14, 2021
    risk 0.00cvss epss 0.01

    A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.

  • CVE-2007-2720May 16, 2007
    risk 0.00cvss epss 0.01

    Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information.