Skip to main content

Group Office CVE-2025-53504

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-08-21 vultures@jpcert.or.jp
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:08 vuln.today
CVE Published
Aug 21, 2025 - 05:15 nvd
MEDIUM 4.8

DescriptionCVE.org

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.

AnalysisAI

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. Affected products include: Group-Office Group Office. Version information: prior to 6.8.119.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2026-25512 HIGH POC
8.8 Feb 04

Authenticated attackers can execute arbitrary commands on Group-Office servers through unsanitized user input in the ema

CVE-2026-25134 HIGH POC
8.8 Feb 02

Remote code execution in Group Office versions prior to 6.8.150, 25.0.82, and 26.0.5 allows authenticated attackers to e

CVE-2023-46730 HIGH POC
8.8 Nov 07

Group-Office is an enterprise CRM and groupware tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2025-25191 MEDIUM POC
6.9 Mar 06

Group-Office is an enterprise CRM and groupware tool. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2023-25292 MEDIUM POC
6.1 Apr 27

Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated pr

CVE-2026-30238 MEDIUM POC
6.1 Mar 06

Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attac

CVE-2026-30237 MEDIUM POC
6.1 Mar 06

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthent

CVE-2025-48368 MEDIUM POC
5.8 May 22

Group-Office is an enterprise customer relationship management and groupware tool. Rated medium severity (CVSS 5.8), thi

CVE-2026-23887 MEDIUM POC
5.4 Jan 22

Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that exe

CVE-2024-22418 MEDIUM POC
5.4 Jan 18

Group-Office is an enterprise CRM and groupware tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely e

CVE-2021-28060 MEDIUM POC
5.3 Apr 14

A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET request

CVE-2026-25511 MEDIUM POC
4.9 Feb 04

Server-side request forgery in Group Office's WOPI service discovery allows authenticated System Administrators to acces

Share

CVE-2025-53504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy