CVE-2025-48368
📋 TL;DR
A DOM-based Cross-Site Scripting (XSS) vulnerability in Group-Office allows attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious payloads into vulnerable parameters. This can lead to session hijacking, website defacement, or redirection to malicious sites. All users running Group-Office versions below 6.8.119 or 25.0.20 are affected.
💻 Affected Systems
- Group-Office
📦 What is this software?
Group Office by Intermesh
Group Office by Intermesh
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through session hijacking, data theft, administrative privilege escalation, or deployment of malware to users.
Likely Case
Session hijacking leading to unauthorized access to CRM data, email compromise, or defacement of the Group-Office interface.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some functionality disruption may occur.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but uses standard XSS techniques. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.119 or 25.0.20
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download the patched version (6.8.119 or 25.0.20) from the official repository. 3. Replace the existing installation files with the patched version. 4. Restart the web server service. 5. Verify the update was successful by checking the version in the admin panel.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd a restrictive CSP header to prevent execution of inline scripts and unauthorized script sources.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
Input Validation Filter
allImplement server-side input validation to sanitize user inputs before processing.
Implement input sanitization in affected PHP files using htmlspecialchars() or similar functions
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules enabled.
- Disable or restrict access to the vulnerable functionality if identified.
🔍 How to Verify
Check if Vulnerable:
Check the Group-Office version in the admin panel or by examining the source code files for version markers.Check Version:
Check the admin panel at /install/check.php or examine the core/config/version.php file.Verify Fix Applied:
After patching, verify the version shows 6.8.119 or 25.0.20 in the admin panel and test the previously vulnerable functionality with safe test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in HTTP request logs
- Multiple failed login attempts from unexpected locations following suspicious requests
Network Indicators:
- HTTP requests containing script tags or JavaScript code in parameters
- Outbound connections to unknown domains following user interactions
SIEM Query:
source="web_server_logs" AND (http_uri="*<script*" OR http_uri="*javascript:*" OR http_uri="*onerror=*" OR http_uri="*onload=*")