Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator's email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator's browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165.
AnalysisAI
Stored XSS privilege escalation in Group-Office (enterprise CRM/groupware by Intermesh) allows any low-privileged authenticated user to execute arbitrary JavaScript in an administrator's browser by chaining two distinct flaws. The attack exploits a missing ownership check on the legacy settings API (index.php?r=core/saveSetting) - permitting writes to any user's settings regardless of identity - combined with an unsafe JavaScript sink in the email module that injects the email_font_size setting directly into rendered script without sanitization. No confirmed active exploitation exists (not in CISA KEV), but SSVC confirms a proof-of-concept exists, making this a credible privilege-escalation path for any attacker with a low-privileged account.
Technical ContextAI
Group-Office is a PHP-based enterprise CRM and groupware platform (CPE: cpe:2.3:a:intermesh:groupoffice). The vulnerability chain involves two distinct weaknesses rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation). First, the legacy settings persistence endpoint index.php?r=core/saveSetting performs no ownership or authorization check on the user_id parameter, allowing any authenticated user to overwrite settings belonging to arbitrary accounts - a classic IDOR pattern. Second, the email module's front-end rendering code in views/Extjs3/modulescripts.php interpolates the stored email_font_size setting value directly into a JavaScript context without HTML or JavaScript escaping. The use of 'legacy settings' terminology in the advisory suggests this sink predates modern output-encoding practices in the codebase. The attack is delivered over the network (AV:N), requires no special attack conditions (AT:N in CVSS 4.0), and exploits passive user interaction when the administrator's browser loads the email module scripts during normal application use (UI:P).
RemediationAI
Upgrade Group-Office to 26.0.25 (26.0.x branch), 25.0.100 or 25.0.1005 - verify the exact fix version for the 25.0.x branch in advisory GHSA-9w92-p32g-g99p - or 6.8.165 (6.8.x branch), as confirmed by the vendor via https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p. If immediate patching is not feasible, the most targeted compensating control is to block or restrict POST requests to index.php?r=core/saveSetting at the WAF or reverse proxy layer for non-administrative roles; this severs the first link in the attack chain by preventing unauthorized settings writes. Note that this control may break legitimate user preferences functionality if low-privileged users need to save their own settings, so a more precise rule restricting the user_id parameter to the authenticated session's own ID may be preferable but requires application-aware filtering. Additionally, restricting Group-Office access to trusted internal networks reduces exposure to untrusted authenticated users who could otherwise exploit this chain.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33290