Filtered by vendor Group-office Subscriptions
Total 9 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-46730 1 Group-office 1 Group Office 2024-09-04 7.4 High
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2007-2720 1 Group-office 1 Group-office Groupware 2024-08-07 N/A
Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information.
CVE-2012-4240 1 Group-office 1 Groupoffice 2024-08-06 N/A
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
CVE-2020-35419 1 Group-office 1 Group Office 2024-08-04 6.1 Medium
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2020-35418 1 Group-office 1 Group Office 2024-08-04 5.4 Medium
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
CVE-2021-28060 1 Group-office 1 Group Office 2024-08-03 5.3 Medium
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2023-25292 1 Group-office 1 Group Office 2024-08-02 6.1 Medium
Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.
CVE-2024-23941 1 Group-office 1 Group Office 2024-08-01 5.4 Medium
Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.
CVE-2024-22418 1 Group-office 1 Group Office 2024-08-01 6.5 Medium
Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance, using a filename such as “><img src=x onerror=prompt('XSS')>.jpg” triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This issue has been addressed in version 6.8.29. All users are advised to upgrade. There are no known workarounds for this vulnerability.