CVE-2025-48993 MEDIUM

CVE-2025-48993: Group-Office vulnerable to reflected XSS via Look and Feel Formatting input

Vendor Intermesh
Product groupoffice
Weakness CWE-79 · XSS
Published June 17, 2025
Last update June 17, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

Key dates

02Disclosure timeline

June 17, 2025 CVE published
June 17, 2025 Record updated

Related vulnerabilities

04Related CVE