CVE-2025-48993

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48993

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

G

roup-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

References
Link Resource
https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd Patch
https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11 Patch
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
History

04 Sep 2025, 15:57

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
First Time Intermesh
Intermesh group-office
References () https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd - () https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd - Patch
References () https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11 - () https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11 - Patch
References () https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv - () https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv - Third Party Advisory
CPE cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*

17 Jun 2025, 20:50

Type Values Removed Values Added
Summary
  • (es) Group-Office es una herramienta de gestión de relaciones con clientes empresariales y software colaborativo. En versiones anteriores a la 6.8.123 y la 25.0.27, se podía ejecutar una carga maliciosa de JavaScript a través de los campos de formato de apariencia. Cualquier usuario puede actualizar sus campos de entrada de formato de apariencia, pero la aplicación web no depura la información. Esto podría provocar un ataque de cross-site scripting (XSS) reflejado. Este problema se ha corregido en las versiones 6.8.123 y la 25.0.27.

17 Jun 2025, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-17 01:15

Updated : 2025-09-04 15:57

NVD link : CVE-2025-48993

Mitre link : CVE-2025-48993

CVE.ORG link : CVE-2025-48993

JSON object : View

Products Affected

intermesh

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')