CVE-2025-48993
MEDIUM EPSS 10.8%
Published Jun 17, 20251y ago · Modified Jun 17, 20262w ago
5.3 CVSS 4.0
Published Jun 17, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
10.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 2
References 3
- github.com https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd
- github.com https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11
- github.com https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv
Remediation
- github.com https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd
- github.com https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11