CVE-2025-48993

MEDIUM EPSS 10.8%
Published Jun 17, 20251y ago · Modified Jun 17, 20262w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Jun 17, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
10.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
intermeshgroup-office* <6.8.123
intermeshgroup-office*≥25.0.1  –  <25.0.27

References 3

  • github.com https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd
    Patch
  • github.com https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11
    Patch
  • github.com https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv
    Third Party Advisory

Remediation

  • github.com https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd
    Patch
  • github.com https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11
    Patch