CVE-2025-48368 MEDIUM

CVE-2025-48368: GroupOffice's DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution

Vendor Intermesh

Product groupoffice

Weakness CWE-79 · XSS

Published May 22, 2025

Last update May 22, 2025

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P

What the vulnerability does

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue.

Key dates

Disclosure timeline

May 22, 2025 CVE published

May 22, 2025 Record updated

Identifiers

CVE CVE-2025-48368

CWE CWE-79

CVSS 5.8 / MEDIUM

Affected versions

Vendor Intermesh

Product groupoffice

Affected < 6.8.119

Vendor Intermesh

Product groupoffice

Affected < 25.0.20