Group‑Office allows any authenticated user to persist arbitrary legacy settings for any user ID via the endpoint index.php?r=core/saveSetting. A separate client‑side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two flaws, an attacker with low privileges can overwrite an administrator's email_font_size setting with malicious JavaScript. When the administrator loads the module scripts, the payload executes in the admin's browser, resulting in stored XSS. This allows the attacker to read or modify the administrator’s session data, potentially leading to credential theft or further business‑network attacks. Based on the description, it is inferred that the attack vector requires only authentication and does not rely on additional network privileges.

Versions of Intermesh Group‑Office older than 26.0.25, 25.0.100, and 6.8.165 are vulnerable. The issue originates from a lack of access control on the legacy settings endpoint and the absence of escaping when rendering the email_font_size setting in client‑side code. Administrators using any of these affected releases with default role configurations are at risk.

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw because the saveSetting endpoint accepts arbitrary user_id values from any authenticated session. The resulting stored XSS runs with the privileges of the administrator’s browser session, exposing the admin to confidentiality, integrity, and availability risks. The likely attack vector is a simple authenticated web request to the saveSetting endpoint, followed by an admin navigation to the module scripts view.