Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Published: 2026-03-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS enabling arbitrary JavaScript execution in users' browsers
Action: Patch
AI Analysis

Impact

Group‑Office exposes a reflected cross‑site scripting flaw in its external index interface. A parameter named f – which carries Base64‑encoded JSON – is decoded and injected directly into an inline JavaScript block without proper escaping. By crafting a payload that closes the existing script block, injects new script tags, and reopens the block, an attacker can execute arbitrary JavaScript on a victim’s browser when the vulnerable URL is visited. The vulnerability is classified as CWE‑79 and allows an attacker to run client‑side code, potentially hijacking user sessions, exfiltrating data, or delivering phishing content. The flaw is a client‑side only compromise; it does not grant the attacker server‑side privileges or direct access to system resources. The risk is moderate: the CVSS base score is 5.1, and the EPSS score is below 1%, indicating low probability of exploitation. At present the flaw is not in the CISA KEV catalog, and there is no public exploitation evidence. An attacker would need to convince a user to visit a maliciously crafted URL (e.g., phishing or social engineering).

Affected Systems

The flaw affects Intermesh Group‑Office installations running any version prior to 6.8.155, 25.0.88, or 26.0.10. All components that expose the external/index endpoint are impacted; newer releases beyond those specified already contain the patch.

Risk and Exploitability

Attackers can exploit the flaw remotely by directing a victim to a forged external/index URL with a maliciously crafted f parameter. Because the input is unescaped in JavaScript, the attacker can inject code that runs in the victim’s browser context. Compromise requires user interaction, i.e., the victim browsing the crafted link. Given the low EPSS score, realistic exploitation will be rare unless the organization is targeted by a sophisticated attacker who can lure users to the malicious URL. The CVSS score of 5.1 indicates a medium severity risk that can compromise confidentiality and integrity of client data, but it does not provide a remote code execution vector or direct server access.

Generated by OpenCVE AI on April 16, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Intermesh vendor patch by upgrading to Group‑Office version 6.8.155, 25.0.88, or 26.0.10 or later.
  • Deploy a web application firewall rule to block or sanitize the f query parameter on the external/index endpoint.
  • Configure a strict Content Security Policy that disallows inline script execution and limits script sources to trusted domains.

Generated by OpenCVE AI on April 16, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Fri, 06 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Title Group-Office: Reflected XSS in JavaScript context
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:28.592Z

Reserved: 2026-03-04T17:23:59.798Z

Link: CVE-2026-30238

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:28.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.437

Modified: 2026-03-11T13:32:48.030

Link: CVE-2026-30238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses