CVE-2025-25191
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Group-Office allows attackers to inject malicious scripts into the Name field, which are then executed when other users view the affected content. All Group-Office users who can view user profiles or contact information are potentially affected. The vulnerability requires user interaction but can lead to session hijacking or credential theft.
💻 Affected Systems
- Group-Office CRM and groupware
📦 What is this software?
Group Office by Group Office
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain unauthorized access to sensitive CRM data, perform actions as other users, or deploy malware to client browsers.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive business data, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, malicious scripts are rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to input malicious scripts; stored XSS payloads are simple to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.100
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download version 6.8.100 from the official repository. 3. Replace existing files with the patched version. 4. Restart your web server. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Sanitization via Web Application Firewall
allConfigure WAF rules to block XSS payloads in the Name field parameters.
# Example ModSecurity rule: SecRule ARGS:name "@detectXSS" "id:1001,phase:2,deny,status:403"
Content Security Policy Header
allImplement CSP headers to restrict script execution sources.
# Add to web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"
🧯 If You Can't Patch
- Disable user input in Name fields via configuration or code modification.
- Implement output encoding for all user-controlled data displayed in web pages.
🔍 How to Verify
Check if Vulnerable:
Test by entering <script>alert('XSS')</script> in the Name field and checking if it executes when viewed.Check Version:
Check the version in Group-Office admin panel or via: grep -r "version" /path/to/groupoffice/ | grep -i "6.8"Verify Fix Applied:
After patching, attempt the same XSS test; the script should appear as plain text, not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to user profile endpoints with script tags in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> tags in Name parameter values
- Unexpected JavaScript execution in user sessions
SIEM Query:
source="web_logs" AND ("<script>" OR "javascript:") AND uri_path="/groupoffice/modules/users/"