XSS in Intermesh Groupoffice

CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Loo…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (31.7th percentile) — read the EPSS interpretation.

Affected products

Intermesh Groupoffice — versions < 6.8.123, < 25.0.27

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv (x_refsource_CONFIRM)
https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd (x_refsource_MISC)
https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11 (x_refsource_MISC)