CVE-2026-23887
📋 TL;DR
Group-Office versions 6.8.148 and below, and 25.0.1 through 25.0.79 have a stored XSS vulnerability where unsanitized filenames are stored in the database. When users view these malicious filenames in the application, attackers can execute arbitrary JavaScript in their browsers. This affects all users who interact with file names within the vulnerable Group-Office instances.
💻 Affected Systems
- Group-Office
📦 What is this software?
Group Office by Group Office
Group Office by Group Office
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.
Likely Case
Attackers with access to upload files could embed malicious JavaScript in filenames that executes when other users view those files, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the malicious JavaScript would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires ability to upload files with malicious filenames, but once uploaded, the XSS triggers automatically when users view the files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.149 and 25.0.80
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download and install version 6.8.149 (for 6.x branch) or 25.0.80 (for 25.x branch). 3. Restart the web server and Group-Office services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize filenames before storage
Implement filename sanitization in file upload handlers to strip or encode HTML/JavaScript special characters
Output Encoding
allApply proper HTML encoding when displaying filenames in the user interface
Ensure all filename outputs use appropriate encoding functions (e.g., htmlspecialchars in PHP)
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in filenames
- Restrict file upload permissions to trusted users only and monitor for suspicious filenames
🔍 How to Verify
Check if Vulnerable:
Check Group-Office version in administration panel or by examining the application files. Versions 6.8.148 and below, or 25.0.1 through 25.0.79 are vulnerable.Check Version:
Check Group-Office admin panel or examine version.php file in installation directoryVerify Fix Applied:
After patching, verify version shows 6.8.149 or 25.0.80 or higher. Test by attempting to upload a file with XSS payload in filename and verify it's properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual filenames containing JavaScript or HTML tags in upload logs
- Multiple failed file upload attempts with suspicious names
Network Indicators:
- HTTP requests with filenames containing script tags or JavaScript code
SIEM Query:
source="groupoffice" AND (filename CONTAINS "<script>" OR filename CONTAINS "javascript:" OR filename CONTAINS "onerror=" OR filename CONTAINS "onload=")