CVE-2025-25191 MEDIUM

CVE-2025-25191: Group-Office has a Stored XSS Vulnerability via user's name field

Vendor Intermesh

Product groupoffice

Weakness CWE-79 · XSS

Published March 6, 2025

Last update March 6, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.

Key dates

02Disclosure timeline

March 6, 2025 CVE published

March 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-25191 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-23926 Stored XSS vulnerability in Host navigator widget maintenance tooltip CVE-2023-4136 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafter Engine CVE-2022-44743 WordPress Jobs for WordPress Plugin <= 2.5.11.2 is vulnerable to Cross Site Scripting (XSS) CVE-2025-49578 Citizen allows stored XSS in user registration date message CVE-2025-46447 WordPress Fable Extra plugin <= 1.0.6 - Cross Site Scripting (XSS) Vulnerability